Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-vt5kratjfv
Target JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6
SHA256 5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6

Threat Level: Known bad

The file JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:17

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:17

Reported

2024-12-30 17:20

Platform

win7-20241010-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\de-DE\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\DllCommonsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2024 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2024 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2024 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2168 wrote to memory of 3036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 3036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 3036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 840 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 840 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 840 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 2028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 2168 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 2168 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1760 wrote to memory of 1736 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1760 wrote to memory of 1736 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1760 wrote to memory of 1736 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1736 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1736 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1736 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1736 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1736 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1736 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 2964 wrote to memory of 1424 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2964 wrote to memory of 1424 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2964 wrote to memory of 1424 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1424 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 580 wrote to memory of 840 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 840 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 840 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 840 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 840 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 840 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 840 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 840 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 840 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\DllCommonsvc.exe
PID 1064 wrote to memory of 2596 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1064 wrote to memory of 2596 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1064 wrote to memory of 2596 N/A C:\Windows\de-DE\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2596 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\DllCommonsvc.exe

"C:\Windows\de-DE\DllCommonsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2168-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

memory/2168-14-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2168-15-0x0000000000260000-0x000000000026C000-memory.dmp

memory/2168-16-0x0000000000270000-0x000000000027C000-memory.dmp

memory/2168-17-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPW6NPJZZ5M88GLQMFBG.temp

MD5 bce1fe5eb7840c591f8d14d6bec32751
SHA1 082085f75e7eaa5c9b556d433faa1f5de47394ef
SHA256 cf64a9d961c47efb2154817ff557ad965bd17f80d57ab645fe7d1f11995a3624
SHA512 f3e9d89641a7863c7e8ba91cfd570457f87516090ec835fc94ee205a6e7aa4e8a84b66570fd22e8bae6a2d2d38a3e01238dcac6ea1674fd9a1f107c5998e242a

memory/1760-41-0x0000000000100000-0x0000000000210000-memory.dmp

memory/3036-42-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/3036-53-0x0000000002360000-0x0000000002368000-memory.dmp

memory/1760-60-0x0000000000540000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE9F4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEA54.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

MD5 e151e7b627b4a4590396442e06961da8
SHA1 ab5276336101f7f064eae9acfae1267063995d91
SHA256 f47455258422728dd131b5eafb6da2023de12174fba02d891ead21492db733f0
SHA512 11969a9e77ad135d70293197005ab28e3b98bbfbd8aa86c7afcc2e28781f9f38565c6de6599892badc947e94d63efc56e25efa3562b903a6c547fb3122f59ffc

memory/2964-119-0x00000000011E0000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef4b77d7b4a0fbb3557177fad5a46e0b
SHA1 ec72f7a2c6fb4db3d4b7866a8def207747aae1c6
SHA256 91987b2df564265899e5cc435fbfbe64fd9d1a192cc1ef4255bcab6429ad123f
SHA512 5e535ee6206936b0d6ebf7f23456c830780451a99fa7cccac6e3c207b961e114ce323a650cc3f90afc16140cfdda8ffeb13a4a332399d8a0b73fefc11a356bc6

C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

MD5 71250a414375d8aad5ce02eef12f1a6b
SHA1 6f62255ec3c63aeb58bb3872cdac81404045973c
SHA256 7071c8e244db79d6db522f779bc95ec4770401d85b0c4a169601b876546d752f
SHA512 f2d00a3d1b9326ad9aee893e284308b5c18c07cfbe918c4a78d64afc6ac9561dfafa6536ab84416ca9d8443c14eb1cb74b1a0268909c652b17ba51f608b93126

memory/580-179-0x0000000000110000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4f6e9eef4e00f77934fe5a737b33b9e
SHA1 a721cf18ce926c06c743eaeee74246a8a126a20d
SHA256 a0c871d646eea78491ddd7b842491f393fda34a73458b22680dcf3a92672626b
SHA512 f03c4df280ecf134f6cf1209e9a0b7a4839aaa331fe2748f4bde7d7034567d74622d2e67fa14c39e24b96eb096ae1391db1528979bf2fbc31d8f23cd24cc367b

C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

MD5 6219e76f82f698f2b3233b63b3f9b432
SHA1 7cc7abf33559d5b229f23866714c3fcda82ca2c7
SHA256 009918ca092b609b1f1fa8e1043d389e2f552375273966f6b8474dbed0942c35
SHA512 fe4c894e6b2d5af5f85e1fa2d34a0b634d650d133a783567528a5e9c25bb65e578c5b7084860960d6765e62ec565ec2772ba811aca12b083cdbf896afe8a2903

memory/1064-239-0x0000000000F90000-0x00000000010A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 281656d1e7c83d3a0751f238172bf81b
SHA1 6c7e3b814dbc14946475b1d9a3a8d4c84220799f
SHA256 81e955fd1041ad5c0651623f20d0abd6e7ee14d514adeb4ec288bb2b4cb8affc
SHA512 7d6f80fb895ae85bfde4f7b3b2cea552870d81f9014e9c0ae7fd9eac10bd03a39a6e11ecee83dcda2cebf4f75febb4f0d381e1716766288316a8c9cc2c4d9aef

C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

MD5 acf3d8e9adcf7190cad74a83bbfb3fed
SHA1 d679a73e302d651aef68b5ce6065183823256d65
SHA256 6b5be23b828cf86a6f855514e059e324c8dfa967590eb2b44e1d6d447e382e0a
SHA512 112099007fdbf950c802f7b4e6c5dae52417ad3f540a5aa2fb5f906fadd277011a0e906927bc99784016330bb2fa5f86fa370859422555c139b12500593f410c

memory/2384-299-0x00000000012E0000-0x00000000013F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fe65b79274db38d39948b4a0e37db3d
SHA1 51ae2a9827a8e1586aaeefa8e890eb246a2e3cc0
SHA256 c8563501830d1888822a85dcb619f53ea40cf63b72afef19c8d88a3efb7b62e4
SHA512 83744e1476aa557a42c76120c76a303d6f0ec05decca60666fb020b5fa788fe657a6d616d9847f5c498b31ec3de0eed187fc3e42b1d8eddd1e91a1c10273055f

C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

MD5 d6a80d87c156fbf531259ebb3accdcf5
SHA1 51394a17d340ab6e9d038efba548ce29c156d462
SHA256 2d093323e74bf9d9ad12896386f9a64a3fb0fe3c2ade73777d0808651648c7ad
SHA512 c00c4eb57c8a55f7ed629136eccbdba73bf7f5930867fc23dfaa6cea2934bfa83761e87902139b61a92d53c6e46e32140f69f087c9b1f506d405d1c4957f338b

memory/2152-359-0x0000000000340000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c83be95a7a212f9fe2902b8d4b2761a
SHA1 55b1e2248f87201aff3c30fb9891de984842bb3d
SHA256 a4c14e32ba260133dc1e95b17e859bfcc2e18c2b13f4078ef8d3c69adfc0d279
SHA512 379b041c71f020ffc56d2c9f64a0a5ca31c51167e03a4a8cb6fff13dc1c8f5295242fd922f3426ee5c6a5adfc2ff2609d13bc29ebc80456cb48c7b557050959c

C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

MD5 f12ee1d219505a92c86ea24c5ef25aec
SHA1 6c73f511cb3322f32303aa4b4e83dd15a72354e7
SHA256 6da6588635b5ad205c51aebc5c3fae2136e45b421c9263b62c088cba87da74ba
SHA512 b6a2904e5be7394952516a0f46dd9197646db9c92677cea4850c47e286af61ad56885d7764b98dc414422e45479347adf77cac449dfebe1657f8512ed1759b85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 404b51c3b37c8cbc9e9c1b3c1bae297e
SHA1 5b9f7be79ef436065c8e0580da2230229db9a2cb
SHA256 2a7793c0cad5957af7d0ee361f1067acff94ade1023f84f27119b4273d405636
SHA512 e40f212b3d7bc65e87e8a17e404d89f5722227ae3a7d4820cbdac36c5896e7b1126c856f5e6650568ddbdc6c9a1a5dee92807b62c7ba8631bea55a9ca4cffa9b

C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

MD5 b47c8916224dd9f638d475c0eae98579
SHA1 a96e6c42c037dc924c3546b2646ec96d6cc86310
SHA256 6bca8ae14ac187d78d42b8850c75883dbd0d87d6debe2a7beb4ffd5c4ccb07d6
SHA512 01633d57604b02b2001bb711b002914234bf259ca3a8784140436756626f9b3d31892555066e183abaa35a45eb0a35ad036bf4fbda08a1f5f552b197054dd3ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ec0739f690dd376de94f2215e03c2b2
SHA1 6d4b585ad78346b3e8baa38382052e1eb8c158a1
SHA256 6d9bc4d441e84a246e0175ac969efa1a9e0914046d8c7b93dec81a7d348d0d93
SHA512 4802ff72e15aacc1a3b27c8f70b7ed69726efb2756fda363c1f94afa7738b8e3d08d512114df815b4fef81cf37b6a405dbc61adc07b5923cbcba1298994a0095

C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

MD5 e6b7a167dc5cab53bc478dffbee6f4b8
SHA1 7f138d4ebbee1ac02d0c53011006a43818ab5982
SHA256 c0f776664d682ed67c39c716485f0c9c2a76f984db908a3d7e9173703cdb7c5c
SHA512 d3863691ccfa8e602a2274e37916b481e6dcb77269a7968206269942669cfe836ac901fd89e0ba7caead194f2a482dfb81b43d03f5a2565251780db0995bec9c

memory/1872-537-0x0000000000220000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3eccd6f76797b965de6e166d4173c4f
SHA1 7aa30efead8b3947e8b114cd3f9286be25af3fda
SHA256 8b82510983a714877304228edf1243dfd8358cd5dbec124bf2e6a288a937c3ed
SHA512 edc1f7f4a3c4fab6d70847961d78a968b655bb4e2cfdbed6629269dd7f45b86ec90f1e7cc82480f389b4d24094701365b7e91851f5dab6a540b555222fbd6fad

C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

MD5 b2f27bb4233cb34b23bde06e4b70ca56
SHA1 764913fbc6142ddcf9c47c7e79ba5595732a3cdf
SHA256 b3051efa26e6bd1cc8af49eeaa47065bf270bbfdc51e64fa9dc5fca26d4a0e5b
SHA512 28f1bb468c3091a3f26676643f8968beb829d194740b954a9dfa7dea32fe6a043f30d444d352dcc159f68a988148b467c7b8ce6fe57da273f391fd8f5398a8a6

memory/1164-597-0x0000000000950000-0x0000000000A60000-memory.dmp

memory/1164-598-0x0000000000140000-0x0000000000152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:17

Reported

2024-12-30 17:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\it\Registry.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SysWOW64\it\ee2ad38f3d4382 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\TAPI\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\OCR\fr-fr\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Migration\WTR\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Migration\WTR\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\TAPI\System.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A
N/A N/A C:\Recovery\WindowsRE\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 820 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 820 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe C:\Windows\SysWOW64\WScript.exe
PID 4424 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 2840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2840 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2296 wrote to memory of 4964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4676 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4676 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3192 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3192 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 3412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 4172 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 2296 wrote to memory of 4172 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 4172 wrote to memory of 4064 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4172 wrote to memory of 4064 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4064 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4064 wrote to memory of 4856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4064 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4064 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4548 wrote to memory of 3816 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4548 wrote to memory of 3816 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3816 wrote to memory of 2148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3816 wrote to memory of 2148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3816 wrote to memory of 820 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3816 wrote to memory of 820 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 820 wrote to memory of 988 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 820 wrote to memory of 988 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 988 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 988 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 988 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 988 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4540 wrote to memory of 3196 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4540 wrote to memory of 3196 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3196 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3196 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3196 wrote to memory of 1788 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3196 wrote to memory of 1788 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1788 wrote to memory of 2560 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1788 wrote to memory of 2560 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 4348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2560 wrote to memory of 4348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2560 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 2560 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\it\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\WaaSMedicAgent.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\dllhost.exe'

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2296-12-0x00007FFA810A3000-0x00007FFA810A5000-memory.dmp

memory/2296-13-0x0000000000330000-0x0000000000440000-memory.dmp

memory/2296-14-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/2296-15-0x0000000000C30000-0x0000000000C3C000-memory.dmp

memory/2296-16-0x000000001AF10000-0x000000001AF1C000-memory.dmp

memory/2296-17-0x000000001AF20000-0x000000001AF2C000-memory.dmp

memory/3500-60-0x0000020F6DE90000-0x0000020F6DEB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjepdwuv.the.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

MD5 1fa423c44409afa90a3ccb4c7c28fc8a
SHA1 e8526dc8592caeef002beecdbaee61e4d9bf67bc
SHA256 4ab03da2386cbac5d9f43b3520ced889fa2cfe8d35b87aad3e059dbd71b42b42
SHA512 68ba924239346c7a701dad0efac2374a98ffcd2b1c812acb6b28621fb8c24e49bb1f05de70d031f1ece6c3083d58f609fe56e851e97d4144ac600f3b0173b40b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

MD5 f58c839638a3d919bcc4b39612967d08
SHA1 8fdef2fa91c36bb91d21e6f127dac24bbce61e66
SHA256 b6f1bd6b13e87b7fc13286cf661b507d735d4d4d07fa93651756ccc5b2e2c6cc
SHA512 a887bad2bfe468fc45231a82c079988fd0f8ce9f9069c84ad9268f3152fb9b0cbfceaebc0e4acb83146d1b868333c044610902f0df9de1f010c91704e1cb9abf

memory/4548-197-0x000000001C280000-0x000000001C429000-memory.dmp

memory/820-204-0x000000001C7E0000-0x000000001C989000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

MD5 c7157d71c1dc4fcc7a79f9b82d5f6d07
SHA1 4516066ed7a59ea0ac9cc50723200ec1d46aa78a
SHA256 d02f0530c1c252f8d3ed132d8b581c364a27b3d0ab319ad897c678d14d1854b3
SHA512 19b4eb0ad76e17e334c93322ec55baa4769b4f00d67d0b4a34c2df81850cccbf6297edba98e5f4f943b28d6d17c718746be34577821e15e4ff4836ad2a233cb7

C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

MD5 54ba6891d45b018029268fd67221a0e4
SHA1 154f75764baabbb47cd4559f4e3370268713c6aa
SHA256 1c4156ef1d208b0a48ebccfb4fbd6c63455e8720e726deee466163d1c02a8468
SHA512 fe32398a04d12fdb53dd93a9ada60bf2a75388feab8604ba7948841a11c812ff3cb8f039eb9fb91fdd32a3e21c03e378a860ac1d51826f9eea16c4f646ca2e6b

memory/1788-213-0x0000000000E40000-0x0000000000E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

MD5 8ca17e0f3555817fac25ab19561c3ac7
SHA1 8c038b63337eb9c8b14c1cbf2eecee4a073be029
SHA256 274b2f89d77bcf101f45c6a16f3f485f2cdff1dc82ba7e62319e739679a5adae
SHA512 980e26e4c9f5ee043bdd614f6ec4c6732a862c479534b7f47063d9b56484ba3eb1307e729dcf059daa2e92d2983b8e5bd161317dc5a067e70ff908a48684a3b9

C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

MD5 d0ae55d63c1ea4a8a46aa4ff5974291f
SHA1 8da49d60831afec25e94c9d68e9d08d45c7056e2
SHA256 27a3032255878227d9cc84efed35eefcb9fc2b9d614bc7b22027c4e3f7bbed79
SHA512 0a9730cc2154d29c5134fcdf4237e8c4e3f15014bf5b0d3a117aa16b9b45029d10a085e04c4fa338e6cb3523897c800d9b25a9435286de19e00cc0c096b1a86c

C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

MD5 653e20146c89631d63a403cc6b6dc1d0
SHA1 d912fb445b31b024bb73aeec345aa1e3015b994c
SHA256 f6bb44df548225087e9868987fcb4bbfd05c62db3ace6efbfc54e651f987966c
SHA512 52e52794dc58d8454420e899536708a8e9c6a2d1ee4ac44f06569eb68ff88b275ad90dabee0cee93e629736b2906705007d852e4a1c545c8bbb3a714eda14fcf

C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

MD5 905ac9b6e6adce34e432e0b669d021d0
SHA1 70d1095c383fa052a8e2d3695cfb6bf5ecf1a418
SHA256 f40777327a957f9f4428229843aec194cdf9e3df8131692ad7b8696f96b6b1ac
SHA512 0eb612508b3af7d7cd253e3e097e6fbc259fe7087a6511bed31e90596d3c2231156ebb3db2b16da6bd85b711a676b1a99746bd96ca3de662443e2ba90adea9a2

memory/3720-238-0x0000000003150000-0x0000000003162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

MD5 33bcb36ec8a6ce6dae33697f855077c2
SHA1 e8bf3ff9d1c0742db76e8059e31e0730f8a5120d
SHA256 436e0bffca9880b1813977859192b1ef2d8ecb391a603bff405069f665f46712
SHA512 1b5ea08b7de9aa0f4930585f662a7da6f72dc85d399d5f9ffafe5c12622d4113df0778e060bad720020aaf77abe197a5ecc8e628df6dc8c9eabca2f01ccf5412

C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

MD5 13d92f0b3193ba6bc71f77f6fc131559
SHA1 42f657e6857835690608e271bec50ee0885958f1
SHA256 27b246dd8242bf8492839d1a21dddea46564d2fa9091e1c07c16a2335753098f
SHA512 3831ed88d0428f67b81d4f752636d497affa8097203161b181607a2436d1618b7db3db5a22915740d8f32f3ff3aeb5e39e746ea25a991071d03a927f459de398

C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

MD5 eb9150005065f61e851da5f465adafb9
SHA1 023726fa70e6f595bec98fe4df28353632475b9f
SHA256 9512f43de0b919dedb15337233a2e1e88ce6da75232e4bdda57b91b95c19be56
SHA512 9207d57585684736efa8b2751790466fa828dbbfc1280385b5f3782b9019fce50d26dd911f212f822b6122a50ab52a3ec0e1c84cb969007eb783b562d7a08116

memory/3420-257-0x000000001BA40000-0x000000001BA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

MD5 7f44837ea3234a8b47c2b8e44e886f67
SHA1 7308ad46560732d99de815a715cdc75e5b354924
SHA256 16f19cd094d0897642188e0e02aa38ef0870f99ab2b8dfb39ea87babea56a56b
SHA512 1c95619ff50b31457a49dada1a28edbd48efed6ad6165a293c778700969ce25cb35f4c4705aee53149df72dbcc7a58d6bd2cdd5dc0b193dbf7300160bca8108b

C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

MD5 ca40583628f3b36eb7ab33010e6002ab
SHA1 cac93f9e6475ba2de18dfa07b4f3bd0b331454bc
SHA256 0213551b846a281f0cc31535bb46a88d56ca8cc16cf1fa8477bd6ac37b022ec5
SHA512 98d9bd0b58d27bc8b2bd21a71c4e883e8618e557dce04efd26ec8479e9d52b9c965300b76333af5d3b53edb23475cee94fbae95f78a58cfd6e87a5c87a9f08eb

C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

MD5 2fa01fa5cb3ff55559baf87b47130685
SHA1 d6d09e2a26e0f80d19172f3ed8a5778d12d02701
SHA256 40724291df025ddc1877563bedbac617b4b62281418fbb40ac8dbec921dd3029
SHA512 f5455419caf85046750d76e6c231be73e1c921a9da17b7a1f1fd3e71806f71c3f4e28bfd49336f6aa21a96cfe6eae8bedd27010a9616f11863258d9d4284f137