Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-vpdlgasra1
Target JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f
SHA256 21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f
Tags
dcrat discovery execution infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f

Threat Level: Known bad

The file JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f was found to be: Known bad.

Malicious Activity Summary

dcrat discovery execution infostealer rat

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:09

Reported

2024-12-30 17:12

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\55b276f4edf653 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\ea1d8f6d871115 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\unsecapp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\upfc.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\es-ES\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\OCR\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Registration\CRMLog\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\es-ES\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 1488 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 1488 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 4056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4056 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 5096 wrote to memory of 4768 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4768 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2716 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2716 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1828 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1828 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 1008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2104 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 2104 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3096 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3096 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3556 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3556 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3988 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 5096 wrote to memory of 3988 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 3988 wrote to memory of 5568 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3988 wrote to memory of 5568 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 5568 wrote to memory of 5464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5568 wrote to memory of 5464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5568 wrote to memory of 3124 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 5568 wrote to memory of 3124 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3124 wrote to memory of 5820 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3124 wrote to memory of 5820 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 5820 wrote to memory of 5172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5820 wrote to memory of 5172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5820 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 5820 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1636 wrote to memory of 1476 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1636 wrote to memory of 1476 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\providercommon\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5096-12-0x00007FFA0FBE3000-0x00007FFA0FBE5000-memory.dmp

memory/5096-13-0x0000000000890000-0x00000000009A0000-memory.dmp

memory/5096-14-0x0000000002B10000-0x0000000002B22000-memory.dmp

memory/5096-15-0x0000000002C50000-0x0000000002C5C000-memory.dmp

memory/5096-16-0x0000000002C40000-0x0000000002C4C000-memory.dmp

memory/5096-17-0x000000001B580000-0x000000001B58C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u03lvg0w.o44.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3988-86-0x0000000001540000-0x0000000001552000-memory.dmp

memory/4244-76-0x000002F85F1B0000-0x000002F85F1D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 71fa55c67a762ba70e40011153e19b3c
SHA1 a36d2bb4802a8ec7db1a68de5f0c3d6007987492
SHA256 b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291
SHA512 32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

MD5 04d055ff3352b52c09375fd5767ee40b
SHA1 0f164f5034e1f159ce47f854820a84324e35597e
SHA256 71709e8f05adee58660945af9fbeb6108193a793b9d53c3c97a977c07ec72524
SHA512 f249d1966d2477ef96399687d15ce3ee949e9c7d28ed3b893e9881ce2fbaf9e11674a8e155261205554db7a60a4f547a8caa4cd1865fceb0420da4c689166efd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

MD5 240e08a70be9d1507faf44fadd543c3d
SHA1 0b50df65c39e5443427b9e9835eb102265af5ead
SHA256 d6219135bb448af567037b2d54cd186c0778443399766c602284f90e31d0101e
SHA512 a360bcbad2412f248f814284b46a3cd03855c6a7a725bfee23126904dc0f91cbe4f103c3ebc418231dde6773eed20cb5a855d4314169e1facb7e7ede23425d55

C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

MD5 73e5aed612c68b10bd61bb825e518294
SHA1 5cea2b99c811d8f7ba692df081296b1f3a8cc10f
SHA256 c4b83e1c10ed0e474e9a33c2dc9420c3db5d20ad2af230ffbe4e6833ba094ea5
SHA512 5a03a205125c72d174c248d2147220480bc66dfca98e287b635e733f0d12747826b50fd16cefc740fd15e15a3e464f51d9a70c3439cce009e7ef5268b49357c3

C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

MD5 5fbf9af806629d741713ed69130c6580
SHA1 e45e7618ae7138d48e2e8c57ea9f13f8d2bdb24f
SHA256 a1de5c342524f468e47e93e23c6e2b77838bc2ee0ac1161493732ad8f5c45c3d
SHA512 87c469f1d16bc430473f02e65036945d22b5869e159fc0110743dd3bcf54b8d9b9fdc34548e2d842caad78e337dbf43de461f2a8e9c20affdef213bbd388a309

C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

MD5 c50928e5ba90da0257f181a5aff93fbf
SHA1 09ebbbbf5bfcdbbf6a5ae596662018a89a156bff
SHA256 afa91096011c7d52542570c6b2a14f49d7ca804bec7b2b5e6b1955a02dd26cfc
SHA512 ed1dae26efdddbf0dd7959ec8072a7787c6a195b7bfd5bf8fd9745e361f5a3c902292eb9ab44a8b6bd1ce6e3014f28d23ae456b0f5a0ad7ac2abc5d2e25cf6c0

C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

MD5 3377c0c48a848af5972a01c3fe80f356
SHA1 157fc9fd1f3b3096d58175d838b59b7b3d9a9dda
SHA256 87c6cdc30f4299999b0a69f6ca179eca419ad3af4d49ff19823d5c219410d04b
SHA512 6ac5085b1c95931029289e4815ef7fc50ef5086c4ba1ad5e489c77f60dab8e8e00879557ab4a297640d84297e60ef2f9ad9910593417640c3f06dbbf62360a79

C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

MD5 c460810600af94aadbe8d5feded88476
SHA1 56e4caa7144133774fef6b1ca63b41c55c7905cf
SHA256 9a05ce8c108d81ea1cc392fe33414520e9ea3011e8db5f2136c8e5e91bb1acb2
SHA512 8782521f015b592e7521471cc394211edf00921d1ef81fefded1950bcb1e28f5b705c0b8a1fe132385b48672f073159313e1b2e828f3dc3ed00fde4a79f5c77f

C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

MD5 36068d1a720e31e9a29db13f8c130abf
SHA1 3333a46c3904007658a49bbf17dcddc05115ede5
SHA256 2cac5b1e7d1ca635cf0a5555dfec72f36ef08b220a2fcb3289ec174e81843cc3
SHA512 666fecde2973c177ae77b90e9617ddcc08bef3ffa7d61fefd63028d2af5ee22fa08b16320756a71fb382628d3242c4330c309abfb839c4ad9f299edc6237f0bc

C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

MD5 b5be108a03eb7ce36ea3e1b779d2de2e
SHA1 8a20f1522084550a0070218f5418fec27eb07514
SHA256 0844d17e8669718c7ccbc2308f040113cbab12292a5f848935fca4ff0c23f2b2
SHA512 5cf07887cea6c0aa03a0536b0ffe154cc7d559e6e6d7cfc2eba5a404254c8082d5d3394e9200f7e74506331e5f5fcb2c35645e57ee72c7c6766c843d90322392

C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

MD5 ef40e813577650c7a03e3fc09d256185
SHA1 b0fa632605d715d43db0f717e04bc1dbfb4cd37a
SHA256 c49f720837ea4a2339e7afe26d0a33b0eff50c42d59d413a916e98478c4ba037
SHA512 5bc94386d476296ce11cb18a30fcc6f4a0bb9b7f46cedd8c2cdd060f917245f9a42c410188ee9140f19447903d509aed36467fb97c1062757ed00d52e0e20352

C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

MD5 8c06facf60f4f285be949abf878a300c
SHA1 e7d6705c1850d399b2ed20099352e46a8b35c658
SHA256 d67b2309bf831282e1d4048fd0877bb72e9e9f97cf796b4221a4bde44d783a45
SHA512 17a532f30649538b4e27174b8cfe8851053dced7656e76a11e418043dd3bf056a455a940caf316f39420a37c65550f22c35c01240d23881e1551bd84ade50344

C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

MD5 7b6438b2667de822f5c73d14d7f2c87d
SHA1 bfad84858b30b46df0d818007818d4d012ab531a
SHA256 e2268e0fca4ffa51bf6db98ac4aa33acca06267431d101e28bd0d2d19b85a885
SHA512 6be16e783d75712b069b0671b2b4ebf7492b8884cfa29d8cf949499cb73b19877c45253524d80c7dac1853c635f2743b0bad3ce101aa5e6906f6fc83a75530e8

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:09

Reported

2024-12-30 17:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\ja-JP\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A
N/A N/A C:\providercommon\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 2868 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 2868 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 2868 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe C:\Windows\SysWOW64\WScript.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1052 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1052 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1052 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1952 wrote to memory of 1688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2560 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2560 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2560 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 1916 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\dllhost.exe
PID 1952 wrote to memory of 1916 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\dllhost.exe
PID 1952 wrote to memory of 1916 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\dllhost.exe
PID 1916 wrote to memory of 2168 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 1916 wrote to memory of 2168 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 1916 wrote to memory of 2168 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 2168 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2168 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2168 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2168 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 2168 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 2168 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 1052 wrote to memory of 1812 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 1052 wrote to memory of 1812 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 1052 wrote to memory of 1812 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 1812 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1952-13-0x0000000000310000-0x0000000000420000-memory.dmp

memory/1952-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

memory/1952-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/1952-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/1952-17-0x0000000000300000-0x000000000030C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0RCUS8BSZNG1FJ0QXMS.temp

MD5 a88005c288ff3d5adcf2a9f96b3c0a5b
SHA1 af1fbb7a0ec03c8d978f7964433d0c103339af38
SHA256 8865eb02e06b4b0a92e7883789c89994aab144be90a33dcd1d5f345b89070471
SHA512 4fd5b1c677671cdea8ea7dba1e9eb72dbc73d2da1be4f3c32200896abd7ee9557b1a4f5fc99c0f7cdbe46feec2b1d1cf2e1448c766f1fa830f8010c54d56c779

memory/1916-50-0x00000000002F0000-0x0000000000400000-memory.dmp

memory/1368-96-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/480-86-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/1916-108-0x00000000001C0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD387.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD3A9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

MD5 8585d73152d9dd92cc432813d3e9edb3
SHA1 aceb288bd1ec88de19e3b3deaf91dcd59ac975ac
SHA256 e149729436984fc63dd0461f7c5f401dbc24f4dc57d0deb350e5f95d0ecb9204
SHA512 55caa124cd795358bfae5a482bf49c4d2d12b259c44322b6d197129f495bdabb8ef3ce981c6f0c7c59bf61964fe5713801f588e1d85dac0bdf6c6d3609d21aec

memory/1052-167-0x0000000001160000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ad70eabd59673d665dd683d180f10b5
SHA1 4c66379f650a34219a9498e3af2101088cc142be
SHA256 d6e3a83656a79f6cfa589d0663a155a830b4ddac79145606853d4e514b2a345e
SHA512 3e0bb0c1d7f29963d362c5924692fb04809bb2dedaa515df84084e083907e7f4852ff3788a3bbd060640b10b4433c622fb83fa0ab7672682fa7e3313a2399817

C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

MD5 1f6ed599ba9027538d9caba937b1ea16
SHA1 0b7acdf788b8824f8f2b2505d6ebde4861ee1e59
SHA256 a95315d458d424ccbd94307d1f4112be5d67f03702467d68b46041e0489034d6
SHA512 20e2f13a0a96b66fcb7854817dffcb7ae67b7665012fd0b0d432eeab119777a73454b66534747394f4c700ce2e4ff83b55cb11f064946392a71f04a6b08ab155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74f50089c344173d87c353482fa3a6ec
SHA1 f983f76203c1c0045deb838023baf52584a54e34
SHA256 d76769ad43d372729200f0181571daa7eaf5e7ba0f70c2ae4d6a0aa75d8701ff
SHA512 74f8c505aa4a873d46267e09edbbbbb71396d417e48f54a1dbff9ac653663350dc5ca87eb4e39db56e1345715305f0d4284b5fb06d93510d6f9c3e280e90ea98

C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

MD5 5059bab5328fede734aca7351f06cec4
SHA1 4d335d74f1198f78ba09dc0390e4a7bab8666337
SHA256 20b8b9eb2768f5106dc748d6929afd3f64a9460c6601003bde4ee63a721f3131
SHA512 d318858e2b23d4f28f71d4f7130b1f9dc1a32c2a1c598fd68cfdb3902590b71719ef3e49d3220b1b5c6b8b3bc34f20301b244a0fd31c48e6712d31dc35484606

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d99e083a13ed7d3d6a95287d580c0f6
SHA1 8769208f5b303d2a72e92d0d330917f1a2ea2030
SHA256 7e067ee90d10247392d50ec28b6af938b54bf5412a20971b666a1fc9203f3191
SHA512 80c606dbb1348dab4db1ddf7a17c753736ec807001cc2af6c464f0d47d6e768e80d42dcceed7495bf01077932e1bd4965ba4ba18f061f775d61e4e93fcda90ba

C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

MD5 c0ead51a027a78f05bbc109308c8b8fa
SHA1 ebd0c9d440fcd2f4cce0a2a3b96807bfc6983ee8
SHA256 81a26db1991f0be7d30473d9c08ad09d3ac7763d3c0552a3e08e71164ad03351
SHA512 1126573e3d71dc3f44000a329955f74fef6e204d0af09d3b0eff6a62394716d9ef637db3f09d5ab7d6de25022ba3431f32a6fbef3c8061ce1bb21b3a26350bc5

memory/2056-345-0x0000000000390000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c5c15eb5f44c7b6c5944d8c9f72253a
SHA1 bf951562281959274d45845921aa403d430518fd
SHA256 2a323e84db2ebb78287b9a765b4e9d39a983dae022f00b51aa6d4237a6c67032
SHA512 cdf4f805de83b9da40df526673f394b6bf0e5a807769313d0cd226d30236da32193c47205d03497492f06ce7cc6794d390438d4158010234861bbbf9d7bf935d

C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

MD5 2ee467cef4d29ac10163414245660f9a
SHA1 181a8d8886cb8b871495a189b2af4583d15f1862
SHA256 978aa6e2f12272ec3008564bf2224a61d4aff2599ab9980c1c2ee65acac923b0
SHA512 e9601e062affc0c043f3615c22256c84a03457a99e3b04304fd5939c5dd235e9cacce9930fe24df9e520ab0906af508bba7a9e676d82d98600eada11eca17a2f

memory/2684-405-0x00000000012F0000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fe2d8a879dc347ec4e11a3d5bbd3b08
SHA1 f3f0f0c49ff222da4c37961a37d170550140a888
SHA256 c21a869a192c4ec32b1b4b7430a72dcdbbef0b6fadd747b14afb519e2b043796
SHA512 9093edc4ae410ed0938187fa353b30d79250a3fdac12c6bc0a1e3fe1a95d60c1dab41b9d2bb74942e771611901b168f98f5bb42cf0674b3edcc5d2d8046b34e5

C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

MD5 c6128a4db929acaf2fedc52cd75fc69e
SHA1 3aa869ec16d4f7f0d45539f96f1966d9a7c557cf
SHA256 6669e63c7c8c589d888a90067ed23aa4475cdfb3071fe28b6fc929c1217ab782
SHA512 077dfbe8c6dccef59cedba98cb54b7a2748d1d02c6dc082cea01cf95cbd9dcfa1317047aa7621373ecc4ad2a45b47bc1484fc822d13e555b139122f07794d134

memory/1584-465-0x00000000003B0000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2b88611555e93f524dc03279e984373
SHA1 54c7a024ab42d4160b21f26e75955e379087900f
SHA256 f85dc012a68186dc48da319fdeb5fe8a555d412ffce3addb529ebb80b0d83e4f
SHA512 b7794cd06c6da9150e6f4e2c7c40661bed1734f346818c01af8354c4c85da3818591db5dd2021badd182be17f70d7ef192963f49c32b27eda5845ff38894b5d4

C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

MD5 ac3e7fb43ecc074bdd8b1e4fc34de238
SHA1 ab95fdd260eb55f79ab5b1b7cec042c871ed1835
SHA256 b220236627a4b114595a1a866d0935fa94e057d90f5780f11f0ab328a3f0c3c5
SHA512 239f143adb48dd5ee6d5955fb165a3db0755628598cafa98d20259f39c6c8d3ed1d5dcbc300c9b59447cc00707c504e0ce2572d233b1dc885a9aaa3e7d1c0e18

memory/2004-525-0x0000000000D60000-0x0000000000E70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f5cd24c77834bf777872447aff32d2c
SHA1 36b1ce41f2d20c953ac0ca24643d96d5fda82fc3
SHA256 0507367240dbe5b6e622732f3ba342e86d39a6da283f873fd9563479318ee06f
SHA512 fc682a58213ed16814f5f43409a5d2ff90a86260e37975dc27ee6b138b05a17c99d88bf7d67c5ea103b0b0b91a43240bc93cbf8ced45af77a3461716c3366439

C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

MD5 1d0d8eb379e07d2accc8850e70428ea5
SHA1 1b294a91420b53e807a54a3adaa89645a30b46ea
SHA256 484382f0c259ac2af7275fdc7274417e5c64241ef0cf3b490f4ce6b3a14efcd9
SHA512 87662993d13fe524ddc9443360a0c59afa440aff996fc688e7919aa737120ea3ae1765830aaad2bee4f03b22444bd5537f27abf26d076c72936ab05a06997e38

memory/2816-585-0x0000000000140000-0x0000000000152000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b653804e1f96450fbc1a6e7a58bf6b91
SHA1 5ae9a343ba5a96f28c11426b9dcc4db6b67186d7
SHA256 826d7c570600be471733de40708d5db7f73476746ee48fc06cfcce9faa0e91c4
SHA512 431dd8999f6e4082d25d64b1c4928025865d4427ff4f1efe9cf8713e83529d7c4aed2b90cab6f74300fe5115047140ba7bcf8ac516324bf6229c65fa96dd94b3

C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

MD5 5b36f079b52a360f6cddd367e895139d
SHA1 d7eba9db95b07336db3895fd4277fd5abf72c116
SHA256 6f1c77cfe1630c4d6fd2ec190c75cd9fd72e5bbc58f41618cba9e3f18950734e
SHA512 aed729bebc99f9a43447f406639df20f04cff87f0156244f34bda593daa315b7c305ef6da2171a17b383cbc22800c8e2c1778be825326b5eb458e70bac90868a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7145f360b21dc4647758d77b6ea27027
SHA1 47990d8b063a9a2f5157f59b94926a84029c9af7
SHA256 3c5d4eec00081c804d70c5f5ad80e5c6df60b89f4ab3252ea053c81a579fdadb
SHA512 f0e1e06656270fe3e9191d345e031d60ef34741e362429f856823580fe628d5b2d9dcc3b4031c7c2611dcac4149b9e99d48cca8dc487d23a7722e6fbf1461c85

C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

MD5 af2df2850a2ebc402fa207d52510f66b
SHA1 bae0213b68d714f217bafa3b3bb440a2cf7b0c43
SHA256 bb6f82bc668d3351cf4817b1f3cafe543678da8d9b10df074d925c8f1f216d2a
SHA512 757d210898fcb507eef5b6b288da1a3153a5e518ea74c9c6547fe6e5c7d614d028a55b976a98aa7c69d2e2842940dc2d61b44d68465dd58ed5764cd28aa41ffc

memory/2908-704-0x0000000001130000-0x0000000001240000-memory.dmp