Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-vlvqkszqcq
Target JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2
SHA256 e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2

Threat Level: Known bad

The file JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:05

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:05

Reported

2024-12-30 17:07

Platform

win7-20240729-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Games\Chess\en-US\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\DISM\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Web\Wallpaper\Scenes\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Web\Wallpaper\Scenes\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Logs\DISM\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A
N/A N/A C:\providercommon\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2896 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2896 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2896 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2880 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2188 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2188 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2188 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1452 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1452 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1452 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\winlogon.exe'

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\smss.exe

"C:\providercommon\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2880-13-0x0000000001110000-0x0000000001220000-memory.dmp

memory/2880-14-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2880-15-0x0000000000270000-0x000000000027C000-memory.dmp

memory/2880-16-0x0000000000260000-0x000000000026C000-memory.dmp

memory/2880-17-0x0000000000500000-0x000000000050C000-memory.dmp

memory/1624-64-0x0000000000320000-0x0000000000430000-memory.dmp

memory/2252-65-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2252-67-0x00000000021C0000-0x00000000021C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 58753b26524560ee6ba944ac3bc60ecc
SHA1 b961d8e015d42f1e16e2bbc7e307da3b1e6d469f
SHA256 8d085ce296d7f2417f4091d4aaf23067dd879911a0842e11d5772bb6a10710f5
SHA512 e4d2ade5355423204abace0dd212e2aed45377e299d72d187c661b1a9e3f02a498791fad652bd9cf1ab8bbb827b078d6961ecd037e63cccd3b8fa6a13326a3c7

memory/1624-157-0x0000000000570000-0x0000000000582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDE7F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDE91.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

MD5 0886335fefc50072435dc9ebed3b6612
SHA1 5ac2a62a314b630027283325e8bd010e7edc3658
SHA256 a4ae46c548e1746c33b30cb2052945093a10dee94b3e1f12e01b3c7af9eab209
SHA512 d126ae978175d44a106d6bcdf922dd2123903af26a992d907f8759246dccb34556b4aa35bf17fba50bd6936d097e2b948f2939d8be836a10a113d1d3dd876cbe

memory/2760-216-0x0000000001090000-0x00000000011A0000-memory.dmp

memory/2760-217-0x00000000004E0000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d19d9cc0bcb7efa3ba277e63376b3ab4
SHA1 e4245d80d1f3223a99a8d04cebedda6ee9804010
SHA256 c6dacef36b1c73777a85c96c804cb7dc9e1a4f16baaee4254abd28553c0e49ed
SHA512 8777a19dcf1e6121b8423b9fb3d4a33cffa849fb3b56f1a0ee297b460c44dd7dfb127b5244e42b8d27b95298f085d698d8010df11287716a8f83125b371803b4

C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

MD5 66b07c2fe1a3be7b88f743b02355527b
SHA1 9b40e8a824fac5aabf82b7a523a063a3b1dc2905
SHA256 54d70b23902d67c269141f5907aec4f5aba929fb9ce9f3910752fa94e0b232d0
SHA512 1816fecd9fedf7cd7863a9e3fb5ed6fd7c4136e74eedbc2241a211a49239333cb7b5c64b947bae7316ea94f5ab2dc54d06152fb47ac8f151881ed252098ed0ce

memory/2512-277-0x0000000000350000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f88de198c2096810ae975f050994ad26
SHA1 5e82de9b682a7c51573ece0cff2fb6c6bd082277
SHA256 737565a7b7e13d8a12b8c7b627c032f269a12a5b867a5641d0fa74c73f5bd38e
SHA512 0590e44642f39c9c9d99978fafbf829a51dfb63c6181267ab89997904ad1c7d890e7a60ead6e4d97bcc3e5c4f2428c2b1ea0a4a472423c77fc910c75eb754984

C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat

MD5 df8f1694ddb6cd301d1c8c108659a4c9
SHA1 eb6e578b75aee2d66d79bb2c1fbb663ae9e388d3
SHA256 f7b7a8bf2eb43d0f5f8ad9c9196c8902552777b8f29081fd44dbce8102646e8f
SHA512 d09257a7dd72c7ddb5fa8f3bf363468f57ed68259113c61139d0b88b6bbb103a2fb0c2664e6d96516920e8367f72f380c4261961b9ed48053a88b8cc3dfe6050

memory/2428-337-0x00000000000F0000-0x0000000000200000-memory.dmp

memory/2428-338-0x0000000000270000-0x0000000000282000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b4e3b165299ebe5887f3510c1300298
SHA1 13d1c0602a8e3a90265c6ae6d812aba5a13f4e73
SHA256 0d34e2dd7752acf1f6e19a074744269d72c48027154e7864a28acc45ba19d03d
SHA512 dae9bc2707abb29226863e5edb698092076acdb8046c999298d664ac9031bd21bbb9565a192367bcc10a2dc5da2eb69ea85682997c055e3f4ee6fe49aac06953

C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

MD5 1552a345f606b887129d32acdb81e6c9
SHA1 a13f2b2cfbb94f6162195ba3a965a18c0b422d88
SHA256 34541f9c4d6183387195afa3a393a7f58cbd6aa0790cfde092b32885fcc256c4
SHA512 0746744d01b34047038b08b63d2c42df3dee8659a0aa3f075a5f30bee131332bbe92b805ae024d36e59c68da2a9b8a1b000307f02a26bd3afaa399f4db20aae5

memory/768-398-0x0000000000310000-0x0000000000420000-memory.dmp

memory/768-399-0x0000000000450000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e315fc88e524ec36f7c3619545ba278
SHA1 a526e3e185b18d5f7286f03d4e83b1a726797f9e
SHA256 b3a6b79add215ff3475ac7de17f0cfc0effda1ee56cd1ecf80f053c014c98280
SHA512 6fce4fec3a39734697092acfe84c55440b5295516ada3b9092691708c85c889494288dec7e814b28a7a3dd0397c02204c7ba9c385b0a3df4657a6194431c7f09

C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

MD5 afaface201281907da8ecb7f69dee075
SHA1 e6f63e210a0e085eea41e5ccd9494b75db4978ab
SHA256 3f258f4fcd210aae717842eb16dde2a0dc49b490269eb070471427818f46c6cb
SHA512 e6a3d168073dd47299101102f537aabd1e6026900b48733738b3fd7a9d09203c6aeb969d9d3b794cda24c4a17d7c558a6735323f8fe48db80b4f39c96db3b9b9

memory/952-459-0x0000000000250000-0x0000000000360000-memory.dmp

memory/952-460-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a842f4d94c9220b15503e4e3e8ffa45
SHA1 1aa7efbc99a2b6edee8ed124426c5adf3bcbfe4e
SHA256 a2d993d3487f10558ccb7c2c276e3678c039e6d99da8b06c2baf15f002bdc9d9
SHA512 902d5b260da77edd8669de6f0d1cbca79b7f49aaca1f1b51ecfc4ec465b9fceff5eb74aced7696e43efce5c685bbddc2bcbc376dcc1890e13c28670e5f0ccc53

C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

MD5 177c50df1f09644a84cd66dac7827c84
SHA1 07cce867f6ee9240800172034dab84c890a0ef1b
SHA256 3c561c0fdef3684f8cd3721c97687a7e7c8cfbf3387e5a2510e08c0df6db7369
SHA512 82feb5301027b1aed940bd29ad31c435c54249d9ccdf2f85b14633609ce10afa016f4c4769338f15e856af25257dad02ecbaf19d1a14ad68679b33b597bde51f

memory/3024-520-0x0000000000230000-0x0000000000340000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d680f70dca318da0fdba6b75ffeda800
SHA1 3cdc17844a9ac9b2f28385937cd04328946a27bc
SHA256 e11926aae931fe4a24efab1fa0c0044e1a543b59adcf1cc4bcbce2a2d4e6d2dd
SHA512 4e093da5263771527907d6ad50793118013c061aeb8ed188d6ab80f4dcb416cc35a3e8560de71137eca6f22b32bd6a769a082667bb2ef05fc133dc32b8c47068

C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

MD5 dada77dd59bdca6f3ec6f3df009b2c28
SHA1 1d70495fe9b7524f76af0cd711afcf3f834a1594
SHA256 7e5a609a4e0d3c5e0d8af0dd2d7b791750be703d00bfa09416debab987c903ad
SHA512 1b490046d26dc1874130cc81e5aee2a9b6de036d88b995a0e702ac0a88f712327256fe53c1d4a337d241b13aa7c66049609ec1508183610389b51820c4a6f1cd

memory/1100-580-0x0000000001250000-0x0000000001360000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24c2ff1fdc8893700268be8f54caaa4c
SHA1 011d73ca7562bbdfe3fd02ca0656e4273be5ab5e
SHA256 cade0b4a0dca65b23caa519abbbfc2b95de554b19e2cf20a7bd3b1d61342b028
SHA512 5663e94c3224f6b75296daf0345a70d4171e6afde6d53f740d44bcd378d3f5b57a7ec1eb019f22685aa8c52373fcfe3a8d81c35b3b85f5fabf4f304b02f9cfa5

C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

MD5 2b71d79a4afd0dcd97304ef93f3dab93
SHA1 ef0afade4282f923f5ea7dba5be7c35805018835
SHA256 90906f1ce33c644525524cca37bf2927ed871a9ccb78f028ff2148020a149cb9
SHA512 2df830cfc37f38fa87b33473a6a4c9f13f7294936fea7ebe80f4049a75e6a0aa8aca0b30c04c9ecaa753316dca5f006c0f73d4a65fead86609a68749c6b167ec

memory/1532-640-0x00000000004E0000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e472bf8631a613085345aefaf2d045a3
SHA1 7f65ebc2556facacf8c08286ddc26dadb5bb7dcd
SHA256 01fb5cfa9a4d4e8f8671a95356c93f36418783a7b7f2a01b4e877a64ea0ea0b0
SHA512 c970864398d31be31f59f21340b5344296b7675d8ea8998ebf65f6f1f415e1f48f79cffea8da10eec95402697b1ef5400804d848cbb1e15c9b00b9ab14cc6c62

C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

MD5 1a288c0edbcf30d1ba27f356ece0309c
SHA1 20a4e6df37036dde7ac3a7df02bcb197eb20393d
SHA256 f472f11a03871fc793d727940e02b56519d96ae98ca6346dc305348a4bf54e7a
SHA512 ff12d3a6a7673a0ee4d43b1924fd4165d154e658e3f375ad97b9d011d9ec3132d41a69609abff33933848a7c4debee8f5235515a1f97205fedbb2f5fb2ed9ef8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c38bc76a342018ce16ea516678767938
SHA1 ab7b17b9ea31264a01cd8f4ba4fddc47fc1045a2
SHA256 db70da41611d3301d4328211f707400f34a7afa2f0dc16ac1bd2afbe2844fa2c
SHA512 8b3656caa691aaeb96c8357e1792d27253a68cf3bc53e973a5efa185aa4fd00ede169e4e48713a143778a54b8fe2e652f4eedc7fe6327c5650106db34d95fd93

C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

MD5 dd922653072f6a773a65c3cb0d88a50c
SHA1 dca896f7703300f44879c079567338345b23ea5a
SHA256 e048aeb93a1164cceda696a3e3079d50f341c773ecd5cb0d3500e3026429f9d7
SHA512 b09f84b254d026515f052dc01ae0f5149fc80569c3b543539535efb11b1762a4bde182231e2ba2921695b2abafd880d1c4b98bcf6af00eb9aebd42533f4ec0b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:05

Reported

2024-12-30 17:07

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\icsxml\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender\fr-FR\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Crashpad\attachments\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Crashpad\attachments\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\explorer.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\unsecapp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\29c1c3cc0f7685 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\security\cap\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\security\cap\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\bcastdvr\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\bcastdvr\csrss.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
N/A N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe C:\Windows\SysWOW64\WScript.exe
PID 3048 wrote to memory of 1160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 1160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1160 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4204 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 3040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 3040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1056 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1056 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 2616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 2616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 2524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 2524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 4488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 4488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 64 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 64 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4204 wrote to memory of 1368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4204 wrote to memory of 1368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1368 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1368 wrote to memory of 4180 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 1368 wrote to memory of 4180 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 4180 wrote to memory of 4980 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 4180 wrote to memory of 4980 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 4980 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4980 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4980 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 4980 wrote to memory of 3016 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 3016 wrote to memory of 4304 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 3016 wrote to memory of 4304 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 4304 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4304 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4304 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 4304 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 4496 wrote to memory of 2412 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 4496 wrote to memory of 2412 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2412 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2412 wrote to memory of 3940 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 2412 wrote to memory of 3940 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 3940 wrote to memory of 2944 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 3940 wrote to memory of 2944 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2944 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 3032 wrote to memory of 1128 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 1128 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 1128 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1128 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1128 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 1128 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
PID 2640 wrote to memory of 3624 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe
PID 2640 wrote to memory of 3624 N/A C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\cap\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\cap\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\cap\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cap\winlogon.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe

"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4204-12-0x00007FFCCB2D3000-0x00007FFCCB2D5000-memory.dmp

memory/4204-13-0x00000000006F0000-0x0000000000800000-memory.dmp

memory/4204-14-0x000000001B2F0000-0x000000001B302000-memory.dmp

memory/4204-15-0x000000001B420000-0x000000001B42C000-memory.dmp

memory/4204-16-0x000000001B410000-0x000000001B41C000-memory.dmp

memory/4204-17-0x000000001B430000-0x000000001B43C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bljmgomc.jjf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1520-47-0x0000018ACE530000-0x0000018ACE552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat

MD5 f4cb126b742ee5738a68a4581327eaef
SHA1 ead811b7e04342131279b578633ee03120839af4
SHA256 8d1605796d3b171ec82fa1d62eac1d1956b5932e67568aed5491a1e1e714864d
SHA512 ba8a4613a7b2edb3702ac13d26008d2e53c49a5992d3d5a4cea5314fea8ce74b974bf0d186d373b3640cc2b735667c2ee37ea18e5464ea6bf8e92f382110f036

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be9965796e35a7999ce50af07f73b631
SHA1 dde100f3f5a51fa399755fefd49da003d887742a
SHA256 6ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3
SHA512 45369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/4180-144-0x00000000023A0000-0x00000000023B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

MD5 1cee088e8b9dd65045ceda65454b9a24
SHA1 07ff51c42223239474b44663ec001b3a506323ce
SHA256 a8f16019d94620cbe435262ccdc23567cbde1d78c5eac120940036a06dd1edbb
SHA512 a66a7e578e55757dc1ab9d470c8931fd5bb34986ad8bc1c04320e1b43bae6585d2189e8441676abbf13791e6b042b784d0c1206332e4cf13d6c5c04eb33af2b8

memory/4180-151-0x000000001BC30000-0x000000001BD9A000-memory.dmp

memory/4180-152-0x000000001BDA0000-0x000000001BDF6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3016-155-0x0000000003010000-0x0000000003022000-memory.dmp

memory/3016-160-0x000000001C9D0000-0x000000001CB3A000-memory.dmp

memory/3016-161-0x000000001CB80000-0x000000001CBD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

MD5 02502ce1f86dc8e9a5afe4ffcf9bfeab
SHA1 bd5bb81a9f2e3751d879a50ac961ba513bb67bdf
SHA256 1eab0876e49032af6de881087351bf7f8992c3113c120427da6bdf46d07f8f52
SHA512 defcd43305fa159e81ecb7ca8468f2f28bfeb224d0b2c29f50804680fbb14a9a6f06f647c8269f078528d3e6611a260fd37494828ae4f9dd80f6e2fa032d6e82

memory/4496-164-0x00000000013D0000-0x00000000013E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

MD5 814d20a9a442759613052d65b7db8926
SHA1 f02125a89e66d0d438ca9502d90e3a29b969c731
SHA256 d3ca7eb89fd3fb7f50ec305568a2cdd460abcc2f8b1f98a070ce80d82ffafad5
SHA512 aa0ee494cedcfc054032d38c20f2c7b59423a393f7e5858b04cf1055a92796396f80851eebeefe04936423d67575f7ec831c5d0a59eeeb929ea7c41f7f7a816e

C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

MD5 b0f42276232699e9cedbe905881b1e1b
SHA1 42632bf7f39beb1e24c7239df8a9ef2cd3e13396
SHA256 b3c9ee75e688d8d3804bdaf6fe92cb33ea8cec72cb02882dfd083fd981b0bab2
SHA512 3b05fc89bb782d91bb6c9499511fc3c04821d42dbe0d4c786afae2d3777a945d0a7ce87e4803e2dc5bf509958b2f9e02b3694375adb7f1bc40b8efa9bba05078

C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

MD5 b9f34d4a522fad99b319f0fcff6c50e1
SHA1 71093b6453841e51ae5a88fa65fd810c92850272
SHA256 8973dc81cc76f295abba47c2d33e8723d9f08a7a39c08e9787af951eadb3ec3d
SHA512 06004646a31320affdcc77ada62b53efc0003bbe4c360efd2e1dd692e93155c5a96d00b79fa35b2a386be60581b0b14e3e6f583c0d8f7afcabf621925eb84732

C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

MD5 b787661965bd9d7599793b53aaf3b2f7
SHA1 abd95d07e2d7343e78cb5a6fd855195903014c62
SHA256 aa8dd0048e207c2a6dcb74698e6d327e5406b1eca085eeb7a2d1471188b6018c
SHA512 bcf845709a1edf5faa049dc8e603a21bcc562bc05d27720427a2d137d2208eeb0e929edd9eda83873dc328632b9bddd1ff3c976681500dd59264a24693953fd1

C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

MD5 262ef3ee872b08595f0374be1dcdc3d6
SHA1 c3ef598236294a3ef7a8d7601bea65f53cef2a21
SHA256 daca2666302603274569cabe01598db1f4357fe2c3a8e72061fc980c0851a136
SHA512 6ca982d32f4cdb51fea2868a70a8ab47c3cd22c3d28d93ef6a25f000c6825985409aed405c1c529d5f5906d6f6e29029dbc07b49bec881a690700ab61d5750e5

C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

MD5 b6baf574eabd9823a8e7ddb9158dd853
SHA1 1ea67396208cf49409edd526a471d40759598c8e
SHA256 0d70acef4054304eda1f63c1f7c8cd5cf08a50642f2c69ae09ec4f8d27406074
SHA512 9a9efcec427866986f3d6087cb73e72147016581e448d583cadcc625137a593e451effb9d13b2e52d8933219058f097703a1607056703878bae87acf9a82ab11

memory/4372-201-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

MD5 63e638227c8254db15365ce7eb1b6672
SHA1 fb1a36e5a31539b6f3c0f1b88198b92c8a936d8f
SHA256 c4c1d4a98345f71434d8b75c132befc8d92230e21a8947105772207e66b6a6b6
SHA512 095f09f35961a5e727f7f64ebdf03e3edd42ee7aa45e47ecad9226add34f18b0998a66f86de811176161f1c6695e41d786e6757091d54ccc88e6351237e01a74

memory/3428-208-0x0000000002830000-0x0000000002842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

MD5 8e2668bcd75a5042cd18e8dfb37a5d57
SHA1 68129a11984212f4769f06e0c352d7e8c76a8c49
SHA256 3acb802d794df60ca64496828efe7a453217fd98283965f8b6c333f53c531ab8
SHA512 1b38e0df4e23fb7a1bc9cddc9c66b251c4c7c28d5fb1018f46b495bd246f722b04efe758f8f2ea6bb1e988aad5db6ace923f80ddcf7c2f966999ef7f832a77f0

memory/4120-221-0x0000000001300000-0x0000000001312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

MD5 a099b5352ac582a4ab7fdb759b9b012b
SHA1 d02dd49fb92f39b8cdfb4ed089db24a01791024d
SHA256 c938f9e72bb30e99d47a8c8ff22ba9569a7d013248ca03b5e67a94bd3caa4c29
SHA512 ee6fb09bc13d5f9e0e2846bb174b75416fcc0edb91734d59b1f64a8250484050eeb07f73872ac6bf792ec0f78a3ada87bb1a67e228243e021eb01df38d342278