Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-v5hkcstmhw
Target JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649
SHA256 6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649

Threat Level: Known bad

The file JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:34

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:34

Reported

2024-12-30 17:36

Platform

win7-20241010-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\ja-JP\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows NT\TableTextService\it-IT\75a57c1bdf437c C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A
N/A N/A C:\Users\Default\Music\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 2300 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1868 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1868 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1868 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2784 wrote to memory of 2412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default\Music\smss.exe
PID 2784 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default\Music\smss.exe
PID 2784 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default\Music\smss.exe
PID 2748 wrote to memory of 2440 N/A C:\Users\Default\Music\smss.exe C:\Windows\System32\cmd.exe
PID 2748 wrote to memory of 2440 N/A C:\Users\Default\Music\smss.exe C:\Windows\System32\cmd.exe
PID 2748 wrote to memory of 2440 N/A C:\Users\Default\Music\smss.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\it-IT\WMIADAP.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2784-13-0x00000000003F0000-0x0000000000500000-memory.dmp

memory/2784-14-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2784-15-0x0000000000150000-0x000000000015C000-memory.dmp

memory/2784-16-0x0000000000170000-0x000000000017C000-memory.dmp

memory/2784-17-0x0000000000180000-0x000000000018C000-memory.dmp

memory/2748-52-0x00000000000E0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R5M4O1NB35SVFCG239TZ.temp

MD5 614222d83d48fa35060ee4cdb15e16c8
SHA1 1b49b086d273b1302e99c3bd4a9ea73a0bef7c09
SHA256 d0614b0dd65dd3ed1db9ecc8d11c27902d69eb48d2a930a3317e31f56aa7e8f1
SHA512 ce3629d18cbf56da2ee7b8c8a328bdcf9b3a1e0f558ea570cf4a6a767a10fab7d487037b261921058539e0313bcf3ed6d3b90a10990e54bfe629d03817e20bca

memory/1088-59-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/1088-58-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2748-129-0x00000000002D0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab60.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar73.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

MD5 fd57a942a6f6c34d30312d3bf95b9360
SHA1 17b8c5aa201222577403edae31771a725ac83540
SHA256 801812208e493f240b952dbfa36f03c24c1d6cca4f58f57c29f2f020ac250450
SHA512 1672f5cd9b6790fe314c279a921baf6b70870197dfdceff78925b958c921abc347327ec19f71c7ebe04205c028f72abc065fe25cfdc6c2737cb37550d7a8a24f

memory/2268-188-0x0000000000FF0000-0x0000000001100000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9db2b3f2f66075b3bd759a3b9d95518
SHA1 99d90e97463e48d285ffa3c750c901a09d0507ac
SHA256 1db37d6b43b4319e8e0f3f4ddb30c39a5740a7b778e19fbb561ab162812bfbb9
SHA512 51480000ddc5db6b1b8a216af7fa593a20afd7000c0326ac194c1724581cb1e9d30a6fa448d6e973ce75d5ee43bc3be89263e0239a6e95de38cb97796ea98e90

C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

MD5 33ecaa8e7bb93f61534f87ee29b2ef15
SHA1 76462b4b379fe7a618784dba6c75d494d967da6b
SHA256 05b774198d26f9f7c9fc433363a991c1056f148e3e6c3eb4766294d829c28c09
SHA512 5987073e49c60ba97451ac542ccc2717337706bfdcab72fbd2f60d2c07ccc1900c0ce3537bb5e705fa998d66fdfc8ebd3d189a3c119b0a80fcb32e922f85d324

memory/2820-248-0x00000000010A0000-0x00000000011B0000-memory.dmp

memory/2820-249-0x0000000000340000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fd2a9a5d311e4aa1fb05de55715640c
SHA1 4e85edd7ada08913c369f10d41c664fc8717c9b6
SHA256 85ada1798bae0a95fc9b4e166c1d097f7701e332ce0976659e671ebedfc3c719
SHA512 2c3f9fb0328e5f3b1a6a039c3a34fe505389a75a5e9e57f06cdd65b078b28ee8d5dcaa150d9f4ce5d4d36cad7f48b3aed15e19ba32e1d7c51156c466d8f083e7

C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

MD5 77a218b732581257d5b63d9ee885e0dc
SHA1 cb2817b1ebf8714db34fc69e3a40ca0119c40ab3
SHA256 ab2cb99993360eecce864a2247e3301a3b8330dffa132510c82441d217ed6877
SHA512 2b92bba409d81d7a7f6be0e44695b6483a67739874a781e7b7bf2f58cd404da82f3b784a3218e1a3d78fbd6402c5d8478c83c22d742394907de245b25287f5c0

memory/568-309-0x0000000000340000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9acab142f07489f3d3f35e2c4901ff1
SHA1 6abc081f90a84250d8c9bd0ff580269f61d1de4d
SHA256 74b783d9bc6391977530cebb9841a89afc792c1063066d67b82141e2817178c6
SHA512 ac270b64a975efa5f2d637136c9d6a49c48841b5b4264461816062a4b8a5f76ca3c2b21a2ed956ef77c7cf17b946ebbbac98289aa5ac05a4339ec6ea4e920d55

C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

MD5 f1aaace5729d77bb665ab5dbcc22c47d
SHA1 b1cd8419af98c012bf781b27eb176fb03916cd19
SHA256 bc8a4eb57ce9ee8a5f5cdc279f742bc1b01d8f313e39ed52cac77a592a51b0cb
SHA512 a1c49186d4135ee6208f82c30d0d8784e35f0b09a9b5223bbaed016574d1fce9547fe970cbaeb75bab96480ac740959e6f84b52354ebf79500f5995790c87e0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3495146d54816ee6fbbb4a314645a980
SHA1 57e107822ea1326b2ad4771cd6e8f779f4a07e05
SHA256 a4d76a0f2740f0585370641541de4defdb83706b0b04d984e69fb6efb33e4c33
SHA512 fb1f73f50d924136fca9a5a50332f02e5178cc5fc444c873d29af6baec04d0862ccca3984385635ef403b4549f035e0d6ac595594f369ed343a1423019ed1b46

C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

MD5 990a7c62da5657209b5c55352b687c4e
SHA1 2dc42c87ae1a269b3b1dcf549f213b1f7cf8aaf6
SHA256 9440cfc08e51cdc9cb0c4e3b045a7c85e40ec5a2984172d35b3750d8416ae5af
SHA512 38c4b07d9d71ac3d0a4f000909781fc9cc4543c3a068eae65fe9bdeecd999d7d809e1c00a907d4be6d9efcca9d5ce7afd5a37ac40408598ced348ad815f98816

memory/1224-428-0x0000000001320000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54f6df09f39fbfe16f0c2544254338a0
SHA1 08498cf7b152ed298e635c9b5d00ec0cf4a8cb21
SHA256 c24569cb56dcdabb521a01c385c7d10e5be2f27869ab5b959011a20a8788edef
SHA512 f8e1fb46daae74ba2b181d38a01fb59a45a1c8629fee31feab9ed629bc5b26939a85c98b086fe3dab04a7bd7dd5ddcae514a6a8450864e11dd37ca2b78a09437

C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

MD5 0dec298a6de8fd5fdfd72f475855ff60
SHA1 f9ec42e2514799aa165b7a54942d13ea67c3381d
SHA256 329569f9eeff2a9463a3220a2480abf6a62730b9e9c614d48d1ecfef279b738c
SHA512 06d0f5bd9c3522a6948a6c2f4b57ae85550237e5337ea970b85acbd9016cd8c1c92f3db7543463117241d98f1152329aab1bcae3c0b1ac6e1697703fd3391935

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64b67b7f8d021adfd200846add1da229
SHA1 ec4f646cbd57b4234ad61f8f7c487dee62fa5789
SHA256 ff0261bb95a062119a7ebc54040c836d05459d0d12efee9f1659047d83dc7f76
SHA512 607791c3e3c4b81d3df81a9f7f62b8aee5890c5209b01901acd5a1586584e0bc9e9ccfc91cf80d54ed7302ad88f3612b5fe6ad6f57dd8221e2ba2fe04d2df674

C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

MD5 971d20d9921a51e098c2c4c9d92e8d13
SHA1 52cc370d0c0012db87503292466c0ab184cdcf37
SHA256 dcac3bf370d6604b819e41a924897ec93435f7af132c4936685c6377b752238d
SHA512 bf438b676869d2da10c8bcdf68b2978ed48c2e2e1a377f88dc7adb759ed0ac722244f0bf7fb3e651332924095e679957b3ce590c672d54ab0bf196c1ce7c206e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 311783d83ee243e7ba627226e74672a7
SHA1 77a5d413b0ccbf2028c1ef544c76a3d7e5d4ded1
SHA256 1620e0627a9bb212dbdb705eefef4d3811d721eda44aeb0afda9e61e53cfad33
SHA512 671132be8c054b0765638aa1e8cdbf0f04e342c7fe5ea28f175e86b90e25b27756d8f71e18ab72326fa39075b6c3235f4861a016bad7742643cc1a06694004d4

C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

MD5 381a7e330a51e4fe15d37705ef05dd7f
SHA1 b03540cf035fcb3900e75df5b643d7d08ba88bea
SHA256 a637eacfab6b845056059032bf75cc026137942b3392d479cf4fc8a4290ac104
SHA512 e67b4d3fc8641395d3e8fa722dd03f60f290c511aecb9d43cdeef972ad0e39e5aa4feffb4ec6433b80262ce2f1ece65e1246c766b8335fbf505f569140388fb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ffbcc838e8f3d32dcdce2c607d92ecb
SHA1 b0ce79890ab769b48a2e4327b9d6b5cf4e72a01b
SHA256 edd1602ba77206e956aff4ae5c1c0cf40edb97722e9b97be18a9b20de221eb71
SHA512 e19f29b0256eb347b2161db2e3c34579a7aa26846779deb998e99c9d2bc487128c1070c80cc9d5299cdcb23702e93fae9acf7a55a0146cd9280faf246837959e

C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

MD5 fbe3edd495c172a3aa2a6a6273ff9c03
SHA1 2a8f17f82f8abd58eee2f2c9988606947c2a4043
SHA256 3bff811ca1eb38fff6ed7f125e98ccb0a03003bb742b801ab9084916475cc59f
SHA512 90d104ef9898749b0304daf24df5ff0941c536136196c30212faaad779a7f933b71279c3a37ac9b8a8ebd4c900035a77a79924f0bddde0cac1dce0c10b7027aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e28f25c55ccdc745340f841ba32aaee
SHA1 10e7df8faa9862079da450c161ad21ded78a77d5
SHA256 d459c5a2c2bc1110a8c089266f99489322535dacc030f8e2060001cb2e1d4e8a
SHA512 3c1eea7f0180c63a28c3fb5e87e6bb6c9b13df63f008f322260fc5785aeb5877eb889192834a405fbfac9850d90a1cba235939f6455ee6d83747af771b6aeb87

C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

MD5 ae9ab9adc02718aba7036feab021d2fc
SHA1 2228cb1f3c0ecc51bf0f22b6ca5e6ffbfa854d37
SHA256 8c146e662b16f2236dc8cd228ea3e00ca14cb3605d8b2530de6802713bd185d5
SHA512 f0d9da8dcf069dc59b2917e36de6d4d9d3caa54fd7cae17b62b17cfebbd7c2f60f71d34bd9570d72a98717d2b17e06674575b29fa650743be361d48f12302418

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43bbb8d8bf5f125bfb49dddf633066b7
SHA1 8eac2551a14e4e015d0e5adba791738519ad81d2
SHA256 21e64dcea0a4d1f1fbe338f97cf1e2f3828b40a5e1e57e80c10cf5e7b01eee48
SHA512 8f49b6578d5de67ecd2bdf240ca86ce8fd41d73e45dc5338a26ea947caffe099d810c994c7669913a818da9bb6eba1bd071ff341f34cd2f863fa86d500bda2ff

C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

MD5 73be6968966a51477f6ea6a1d4123954
SHA1 ac13791c42f74051ff68c794f585d94b6b55b790
SHA256 2a370102b862e275269781c2cef55bb49141b0c0c4fa43145f73f23205486d9b
SHA512 0b89f365ae8d0bdab0b9146ef0b0f2ffd5f73ee4e4dc86ee31bc9e7bcaee252c3e5201e8ba5427177f784863cc4f2395beb0f354ce087a34ece96c655c6ca850

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:34

Reported

2024-12-30 17:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SKB\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SKB\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellComponents\TextInputHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellComponents\22eafd247d37c3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\PolicyDefinitions\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\PolicyDefinitions\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Registration\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 4576 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 4576 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe C:\Windows\SysWOW64\WScript.exe
PID 1740 wrote to memory of 3840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3840 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4360 wrote to memory of 536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 1112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 1112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 1648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 1648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 4624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 3024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4360 wrote to memory of 2752 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4360 wrote to memory of 2752 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 5328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2752 wrote to memory of 5328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2752 wrote to memory of 1272 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 2752 wrote to memory of 1272 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 1272 wrote to memory of 5388 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe
PID 1272 wrote to memory of 5388 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe
PID 5388 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5388 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5388 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 5388 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 1228 wrote to memory of 636 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe
PID 1228 wrote to memory of 636 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe
PID 636 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 5772 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 636 wrote to memory of 5772 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
PID 5772 wrote to memory of 3512 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe
PID 5772 wrote to memory of 3512 N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b07f1fc796949b8b50575f65dac84cadfdc3dbb428962cd9eaaa26033d0e649.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SKB\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8EQDjqTc9W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4360-12-0x00007FFC274F3000-0x00007FFC274F5000-memory.dmp

memory/4360-13-0x0000000000320000-0x0000000000430000-memory.dmp

memory/4360-14-0x0000000002530000-0x0000000002542000-memory.dmp

memory/4360-15-0x0000000002560000-0x000000000256C000-memory.dmp

memory/4360-16-0x0000000002540000-0x000000000254C000-memory.dmp

memory/4360-17-0x0000000002570000-0x000000000257C000-memory.dmp

memory/3512-66-0x000001FDA81E0000-0x000001FDA8202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvzdepq3.pll.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\8EQDjqTc9W.bat

MD5 445f624a94136e634e8f1635ba4b8aeb
SHA1 999a23527068a6a65a1d4f3ab51bb44de5c5f00d
SHA256 1e1aaf34339f49c17f41dc5ac42fe02b42af0850b9add0aa528d31df112ee29a
SHA512 c14ee0097631b8adffa051a6af29917d02cb20a98010a2a921bff81bdf14c59ba4910079b4ce337c2d6fe5e38f7ac3f59dad279f25e5fd0dae25b7ff87426941

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

MD5 ce6c97fe0348bbe83f41c3494e31d004
SHA1 5d8468873f95a71d2228bde416a8a0414916c195
SHA256 867db2d4db430d60ada7941de916e2c166af53db47becdeb97b9f2c50fef28f9
SHA512 d425906715f0c2d006bcf5a0e1e610dc3647313fd7e9fbb72880cbea3fc027af45f053daaa7dc30884fa9b7d6432f4c203efbfd3c5927d4c4dd2ad9e7801b76e

memory/1272-256-0x000000001BD10000-0x000000001BE7A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1228-259-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/1228-263-0x000000001B710000-0x000000001B812000-memory.dmp

memory/1228-265-0x000000001B710000-0x000000001B812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

MD5 f5b2198c428488ed442bfbb09eb4ecba
SHA1 fd5b4db9a9be114564516ea413ac1c96800c667e
SHA256 d438c653a4ed2d96d1036f857d16f4e61e0200cf0ca01c6295af4c3b8c68f5d3
SHA512 afb23546250a7d2895ef629e60de4514add55a0590c3526c37307cc74ba382d84bdef507e6fe2b588ee184b8a265ec8eb44de631e1e5612853d283c2d1cc07f3

memory/5772-272-0x000000001C350000-0x000000001C452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

MD5 36879b0cab793f8e2ade6bcc99253fce
SHA1 859802ff53adef3cdabe3f4ccd31a1c27b951c7a
SHA256 c7328776bcffdf1e6781a2afaaf7eec257748428cf5de0633d2817b9b8b6e1dc
SHA512 ad23383ef7f1789cc3fa4fecc01da31c538c7bcbbb9c915b934c4273c0901e1cd1a09017d1452d2eb45a5775880d7030a737e662798935ec80c9594563b8c8e8

memory/4404-275-0x0000000002400000-0x0000000002412000-memory.dmp

memory/4404-280-0x000000001B8E0000-0x000000001B9E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

MD5 f9328eea06c71b818b5a519456e2689c
SHA1 10436928b685c378bebae993952b3c46bd433177
SHA256 f71a8c40abf9d6d7ec080620ee97cbc285ff9f1737e823dff386b28cb8936de1
SHA512 aa9298663c9b9312223c06ff1f09f36227610a6868c43ad88a3c47104a087983b4918d716258819af78486d60758bb971474715509b49ac1440517de41f07589

memory/5816-283-0x0000000002A40000-0x0000000002A52000-memory.dmp

memory/5816-288-0x000000001BD10000-0x000000001BE12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

MD5 f2a1906278a4596e7753dc621f90ca42
SHA1 ce50cbfa062b0ce4755b0471095e6166487a1b3a
SHA256 e1530df3ba82c1d513640ef1ada7ce8875d6231ea2f19408e72d11e5a62ae0f2
SHA512 e7f16ceffb9b5eae8719bce0fc95775fa1c6adcadb5e9d48da04b471a0d9f0d3db2bb751af169b1f0a6612029028bcee08e74d26fc07119d1a5d5991d26793ce

memory/4364-291-0x0000000002C50000-0x0000000002C62000-memory.dmp

memory/4364-296-0x000000001BF40000-0x000000001C042000-memory.dmp

memory/5628-299-0x00000000030B0000-0x00000000030C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

MD5 0a672c8514a20c59bbec911bc9c7cb97
SHA1 cdd45c44d846dcf9bdfd346f620d368e66000238
SHA256 56928ea81b61f70c56d48f872048f0128783b57b6512e975cb3265b29f0f7794
SHA512 5d0a5c5bbab4aaf4b5ad47b50ae680215f4a2c0be058de705458c7c3b0d311fb76dbc0ea64182c1cb510a9d95decf148137cc85ad4ec56aa96bab9662d10ab39

C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

MD5 250be0898ccddef7f5e734e26b2dff8a
SHA1 2b7474ec030c3f944eefdc2a0180c46f0e5762fe
SHA256 6a27e2d3222f7f589f2b3ea51ab0055ea17c1e11c5b49bc31a2522508c69d89b
SHA512 eb6b6ea336fbf5be7d8162c5ad7a6a82e32631ebddd54a6a74ab08c76e6d2315040401e8012d36730a0685c14801d262f9bf987c7d57b290ef79b7872ddab82c

memory/3860-318-0x0000000000F60000-0x0000000000F72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

MD5 6e1a5a1906c9fbff13e86528757cd3d9
SHA1 fbd5c39216a836be9847ec1945997996a395156e
SHA256 b4b36e8d24167efa31cdae513bd0f5b567404611f8ef406425ccb407440a6a97
SHA512 9c9a2db8bbb5ae91b6ec883cd33a9f5b65ee2adb7d2fa5b38884f0c1fff2eb1fce6f8395600b7fb245796cbce65d231f69756d5d4eb3e2559b0a909096acbd20

memory/1840-325-0x0000000000D30000-0x0000000000D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

MD5 92fb61314b2abb6729e0b0ea8672a615
SHA1 8a248bb2a9e34465b3953ca433dc4d25d38fa59e
SHA256 87e353e9dc53f2d2560ce644ba540aeee25b89e8dce6b6fe784c30db38142080
SHA512 684f5ee809643e3c970c9c757e48602077aac4d63c07bc9613be7a1055c7c082a6bfe71173bc7d9c3c22eb3911649d3c3a6743a89fb27e290749e4e9e19e7856

C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

MD5 6fd9f8734942ddfb130b44d124de7b6f
SHA1 ecc01552bba058861525a1f529248e47435b2ab0
SHA256 b9df6db24444d8e54f6ca40602e3ed1eb9fc099f6094d37971b63f54897a1cd9
SHA512 457e36c9d796f0f44514ca310273eff1d52b187476bb31937fbbaeb26935258ed073030b3e5fbfcc7eb6c6c9df0eda2e0638f7769e93fa135e0c4a1462f3c799