Malware Analysis Report

2025-08-05 09:04

Sample ID 241230-vvhgls1kam
Target JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177
SHA256 20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177

Threat Level: Known bad

The file JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:18

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:18

Reported

2024-12-30 17:21

Platform

win7-20240729-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\Temp\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\Temp\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\en-US\audiodg.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\en-US\42af1c969fbb7b C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Web\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Web\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\tracing\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\tracing\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 2152 wrote to memory of 2852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2852 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2852 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2852 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2852 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2960 wrote to memory of 1616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2532 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2532 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2532 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 1956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2176 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2176 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 2628 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2628 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2628 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2628 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2628 wrote to memory of 2528 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2528 wrote to memory of 1516 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 2528 wrote to memory of 1516 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 2528 wrote to memory of 1516 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe
PID 1516 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1516 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1516 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1516 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 1516 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 1516 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Idle.exe
PID 2884 wrote to memory of 2960 N/A C:\Windows\Web\Idle.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\audiodg.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Idle.exe

"C:\Windows\Web\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2960-13-0x0000000001370000-0x0000000001480000-memory.dmp

memory/2960-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2960-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2960-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/2960-17-0x0000000000500000-0x000000000050C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JWSH9HXV1BPA2XQCNM3.temp

MD5 f5fdd9ce289abbf3aea69e40e16d4387
SHA1 8a3134c72834bc1e8c8a41471b8e10c456c3718f
SHA256 82f3ad538bf4a9f373a04e76e3ce249d4f21d3973073cd116f535575c846bfc5
SHA512 afcdd7c7005aeb450e10682b8b5cce4aed82834d11b9dbd3c7b59add7ec61cbae17f9f707d44f1f2e9195616746f0c61d2b833cf852297f748c385a49bd564fe

memory/1980-58-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/1976-50-0x000000001B650000-0x000000001B932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat

MD5 f31ada6f42a106092814cee58d61bacb
SHA1 d6934b0ee5964588239afcc735d0b6d29ee37841
SHA256 f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468
SHA512 2a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931

memory/2976-77-0x0000000000D70000-0x0000000000E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

MD5 45e1dd64615274e6ff5ce841c69a8a1f
SHA1 466f5189a5b0d5e0e990bb3d498d2e8dc693ad7b
SHA256 c437e67dbdb13c7970265203adf4ee0ccc926c61f95818b34dc18289db852c40
SHA512 948aa6f9c1a6a3c042fbb151e9f6a2132f185874a12cbaaaedfc5b0b05b7c593925686bb6b34d5b311c2148be562c957b0cdcc8ccd75a7da31c78e87f2a8fa69

memory/2528-136-0x0000000001160000-0x0000000001270000-memory.dmp

memory/2528-137-0x00000000002B0000-0x00000000002C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7405fabaab93319928ab7b6b30bb5fad
SHA1 a8f4925d7a67952eeb71fe2a0f2c38d2ef91f05a
SHA256 228401c705c52cc171ca9e49d6959cf654666caaf1238831f2786726b45621ec
SHA512 c3a34c536794ba17ae82e47d6c3ed2351877f6c7cc95e124177bf3c39d6578730b6949394f6318865f86d55a3217dc02c376e667f35edc6d54a77a58e3696529

C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

MD5 0986da0cefcc7993237cb00b72216c4e
SHA1 694cfcad26e9af3109d1ebf996ea3f5b83f5473f
SHA256 0afb8be3e876dac019b3ac18fd4b5cb28e408880a485a33bb7bd047a8ca79dd9
SHA512 91a21608114b91758c55816937889cc8da77bfafa4dd8e2e80272e2d6b779e9ee9086b193380d3090b28c79f566484db17bd8acffe61abea9df166522a7320e6

memory/2884-197-0x00000000002B0000-0x00000000002C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8985eed6f85fc6bf2e8be68a85b2ce2d
SHA1 39d42eab1a90eba2f22a1a9da7cbe2029b57eaae
SHA256 2e7980b934c92979648c7c2b53f91ef8c86bfdaf203191493c48975d54bf6407
SHA512 4928070fe0137879590a65cd90dccab9a666daedd7e9e757f7684bf82b2ce2e0b2de6daad75759da14fd19a6de27220f2b9f7061950758a715af0bf03920fdf0

C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

MD5 85b62ca95e5ddf88a8f371d0e7d36aab
SHA1 034caf69cb76c1c1c5aaf27b5a0b4b75d6e652ac
SHA256 3101b3a26dcf3c7e47bdd44d545bfe1c4a9c865f3985798cfe38fd25f48e6b35
SHA512 005b6d996d8b0b357a0051399bf566362a63889f6422ea5b60a0d6d5f3f7e4382bf27c7a24831cdbe6df50d96e0e0acb0fe61d2404e8a58d132e4186bcc74710

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57835819a2e815b906e7444d3dfc5f5b
SHA1 984247cc91439038276c7d02a00c8e07ede468bd
SHA256 8ddf060642a6b1f5d2b5dd7cb063b133cfa43f759d8eb10f24c895af17ebbe75
SHA512 39593ed439cd843fc05dfc58ce13947e9b0e87c254e62f778608172f51e925aed2422db1f027f6c996d84f9df0d1358892c414c25f4130dca716b3108953b2d0

C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

MD5 8f9a4d0b77acb9d371d4455ca67fd5c2
SHA1 e24774a7caa68106295448efde58473efbc8a0bc
SHA256 d2744c4021d2368ac6f234f76f67383e108f47c983f19172dab933108b4bc6bd
SHA512 7c3efcc7ce44c4cfdbad99ad15a51a689be1a5a6d52fcaba66badbb7a225c08fb82b1409ceb17c46f85387b8b869df930106b88c38b933a7fef26612f5607d42

memory/2556-316-0x0000000000220000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef9a38aee475fc511864442d68c49ba
SHA1 095d822757fc9afa4cf4f887c3d603f52053887a
SHA256 018b25cd35a451267f6afd21464acf88ac9eb47a5a4ce014deec6d6bb61257d0
SHA512 a5a91ace516b41479bfe22b3c2849c8d4ab51d138112e7555e0ae79eefb871a7b8ea2fb2b879b8b46a6d3532738ed67e00ffc989e60a87ab51fd226ea9f1f02a

C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

MD5 143ffab1a2ad3456560ee6b84ca23c11
SHA1 d18d9cc086493eec5d3284cef34d02c326713e7f
SHA256 2b0890e293b5d46a030e10030e2d1117d83aae13c8b3cba71e378506d5b75639
SHA512 5e787ca7192eec0adf6f125c9ec0b8fe8df786ccbda2b9a0021326a4cfaccda8ae55876cf7e6f17ae3c176062eb4d75344d5825ceab4c5740666c378fa22a885

memory/3064-376-0x00000000009D0000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef50f587008b27f8cd927b023db0bb09
SHA1 e593699c47f7367cf1d999f8d39f245cbc51e4ee
SHA256 fec8c8dc33ae6757953eff141debf785660cfaa448e81a36a63262d60b168c39
SHA512 6ae07934a55c5fd7be45def3b7b4d46f119bab118fd251023ad5ad829f60917291ada0a8a911650c655dcc9870cd30d1dec675e2d77109d2b7be0abfd0bc52e2

C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

MD5 09b4e6290ea39feae3a590489aa51249
SHA1 c5716ff83273ac31b3982ab74f50aded934f41b4
SHA256 ea3eafd236d75bf98045355c0bb1902a2cb9bc6078972ede4cedf3ff88177713
SHA512 de733a96b7ad0b68c36c76f4dbd9f9e46f5e68732e6bc092fe9d9893dae81b08e6ed89ec7a1531ba89c6bc0c091fe050510007294ac79038ddb8e7d221919d65

memory/2408-436-0x0000000000A90000-0x0000000000BA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6443f4b80fa35f0c906beb2f4a50adc1
SHA1 7696fa9af95291f9e7905755816426707d3c54e9
SHA256 ef193af5945fe3588a8cec8d041637d655ff435e2d3ae4d77dfeb1254ff9adb3
SHA512 2be6f9ae95db067703cb1bdd5739f3a05be3f21c4561d13fda86d2e5e5521a0ac53655c482bcf49c7dcb8a7d6a0d8f9c5205f95a7d733511db634db3b331b7e1

C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

MD5 dde3a2e904e8ca2aba29e08df4350886
SHA1 d7c0557e3ea23795f5be47df266f61b381a49766
SHA256 e35ac54d4a76a274eff34308e78574a864dfd589747d4258734c077dcd58ba56
SHA512 2ec9f9f3e19dcbbce36e940e3886812029e7c21790871960a4973e98099ba06f1b765b7ea876e30169d9055bb49f443fb536641000fb5e44f4c1d6833aa9c0ef

memory/340-496-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37493c62e17dff0af3202dcce2fd26d1
SHA1 fd272e3f2bbd2901349b69b39f8a9714c0de7dc4
SHA256 ba2e58bde02ce652645a424f8997582fec15c24773eb76b66202f7378747bbf9
SHA512 c791ceed5df76447422448a42169f3205349a722adc85b2c3373ac5fa175c5a7a24bd7a2b7e19576ee6d5de067a11e7fd662467e7f9c44195f0a99080e5836ae

C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

MD5 90503dfd66d411eaf32046eb047d160a
SHA1 4c15e3c6d096d11f06b9d68ebc9d6676b4d36367
SHA256 ba096035e5c0926d63cfd3d10fe6ae4253746faa50b9d3ce2c3483cfd0236775
SHA512 184858240bc141f1b4014029e5fe2465dcace3a3add3ac46e671e274488eb98cb6c3fc3b149b09a52c3075788c29b4166e43bf662f5ab7be96b96c30a27590c7

memory/1960-556-0x0000000000F30000-0x0000000001040000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a1db1559d737213845ea0fa5a98474e
SHA1 3e2b9f66e130d160f2ee9e25565580dd6b25b0c0
SHA256 e05bd816e6d8e721c496652170233c152d9f4055c675b4bb5ea3473d9c6dfa43
SHA512 08248cd8a64b19f8adec8306b8f19a3dd13c980d253d227a08200c73d2392d20aa60098b193ed13fd987bf15aea20a2464c14c0ec1d6eb88b7c5ac89a48b4774

C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

MD5 2252f47fcc17c7a205f6b95a5ca0f9f8
SHA1 672fc71c92c99c18a9013f711f34ef89fd4b2048
SHA256 44cd3be882d75aa4d0963a50498c8f1eb93b271db6fcd937bc03f10290d12731
SHA512 2527e0b9f5a9921ce4af139faaf63e5a06d66080edd1ccb72f019e932116529026c330c322a2f62acaeef06a5fcb0d0c6493ff96ad2de0c1158482db4833e3ad

memory/2952-616-0x00000000011D0000-0x00000000012E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e67100773296045c1bebca34101ab36
SHA1 3578a49c949e9fb8c46158d7419d7528b4ff3103
SHA256 6c3c239e9e18e5839539ee617e41a4aa95de3673fafbbd86ec67d7173f5178e4
SHA512 e9839169cf672b8cd1bb8f09ee9362b7c7ab23aa7c5d7f42876f94568a0fb3ad8fd33298097a6b54f0b77a55b70549eec35b3d8e48c253a8e217b85f84544e32

C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

MD5 8a66c801cbf41107b9a903674f12c189
SHA1 eb10bf7f6203f9c9da19e3866ba3a23a6381433b
SHA256 13f3f57bbf40e85747b37b1177a118698aa4d33b5f83099e00b5a33cd4aeb9c3
SHA512 094951820335c43705e6ab9dc6908ecb847697a37c44c9c5880297b91847d0e804931b85cd630d2d4cdfd856b877a245a5d283dbfc6af40edf38939ec8cc45ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:18

Reported

2024-12-30 17:21

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\bcastdvr\DllCommonsvc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\bcastdvr\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\bcastdvr\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\bcastdvr\DllCommonsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe C:\Windows\SysWOW64\WScript.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1384 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3024 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 4204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 4204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 3024 wrote to memory of 3636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 3636 wrote to memory of 5076 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3636 wrote to memory of 5076 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5076 wrote to memory of 4904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5076 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 5076 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1456 wrote to memory of 2408 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1456 wrote to memory of 2408 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 3312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2408 wrote to memory of 3312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2408 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 2408 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 636 wrote to memory of 1588 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 636 wrote to memory of 1588 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1588 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1588 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1588 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1128 wrote to memory of 752 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1128 wrote to memory of 752 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 752 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 752 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 752 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1792 wrote to memory of 1928 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1792 wrote to memory of 1928 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1928 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 2356 wrote to memory of 4084 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 4084 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4084 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4084 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4084 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 4084 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 1540 wrote to memory of 3068 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1540 wrote to memory of 3068 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3068 wrote to memory of 2340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3068 wrote to memory of 2340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\bcastdvr\DllCommonsvc.exe
PID 2504 wrote to memory of 2568 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 2568 N/A C:\Windows\bcastdvr\DllCommonsvc.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\bcastdvr\DllCommonsvc.exe

"C:\Windows\bcastdvr\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3024-12-0x00007FFF0C4A3000-0x00007FFF0C4A5000-memory.dmp

memory/3024-13-0x00000000008A0000-0x00000000009B0000-memory.dmp

memory/3024-14-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

memory/3024-15-0x0000000002C10000-0x0000000002C1C000-memory.dmp

memory/3024-16-0x0000000002BF0000-0x0000000002BFC000-memory.dmp

memory/3024-17-0x0000000002C00000-0x0000000002C0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2c3gksp.22v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4204-50-0x000001E529530000-0x000001E529552000-memory.dmp

memory/3636-75-0x0000000002990000-0x00000000029A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

MD5 c20200e418652e34dc09faf924ee7e9d
SHA1 bae20eedd2d8ce5b3a952cfaf429ca13fb107936
SHA256 7a93648c1881c1096dbfb994db16e35fe7ce5a1f7d61fe628ed8150cd307a740
SHA512 54adf5ed24fc305d57f1148e072ac0596b45eb68b08e0779b3e58affa853a37f34e503b4d22ad66f612e66127e0b95fdefe12548f77fe03d1c61f456d0950984

C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

MD5 a77393f440de76d384746b5db6c4c63f
SHA1 1cd5579d0d5476221b301c3d24877ebcba07b710
SHA256 7021bebe788d83c41f9e5b4a2a1537dc84fa650ba97edeba10bb1f76c19abbd0
SHA512 dd86e40ab0c4f2f08bc5b92a4358b131b1f17aafd86823f27ee6c85efcc9784de9e4d47fd9173f0e919b2d81ce2443f4697aa6d5a8e521a3582281defd689a22

C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

MD5 c53d062bc6af5ca899cb7a6392bfe112
SHA1 687fae03f6e1623f89bba0f97c4aaafa21827e73
SHA256 cc16859d1b142df2fb19ca7fe1db5a8f6bb562d784123b1a32a9603e45375b48
SHA512 0ba0d699c7e427036aa877b1e5e0c0e6fd7c347f7ea3b6a1eba044db84b8750ac07a149e3633490dc82ce1ebe8818ea4302b3a20ce5849f147033041d8785d9f

memory/1128-114-0x00000000029A0000-0x00000000029B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

MD5 2904630b6237f97613113da9833a008e
SHA1 824d7c0ad1fff1364b4d48506ada4c22f9c2e2ad
SHA256 41928a2566f5cf5a54e1e8cfc0dd408c976465aaa6bc44b46edd5a0040d92b88
SHA512 de523fcf4404753e29e179afa86a8fde08ee5e89163b3dc0fa5a64b7c6b93847f6495587b95245010c71cdd357ba67df6640a6d230c63ee454c0e01f2b3a60a7

C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

MD5 f10fbb1c4761cf4753fc3b324ce04774
SHA1 7e9be3830eab6c75dfef0dc6befdeb086b74bd08
SHA256 b54c611b5b9a13ba92024addd5ccdd1853ea0893cc3161633fc8ab506535aacd
SHA512 a6ae6ee8d12bb1a56cc2b05e90a1e51858d89d13d34a62c0b9818abc3aed79261cfb1ea0d9fad3e6f95562fdbf7bde05c559c2e5e0f47762373715e8845c7551

C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

MD5 4b3d181082149b655446685beccec9f4
SHA1 911fd0457a2c498d39b7dd9be729897119d948fe
SHA256 5792d718079aa032aff5e80758e20b8e1d481af4df0ef3bb4f4a2d8441b25c0b
SHA512 607e52e1bc9bf5543da5c8b46873c1365416d5b665740856effe9cc74835cdb413920c62124cae2c706da670cb3bf32e937a20aa83907624526152c0927f8cb0

C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

MD5 72ec0ca508df79dbb551cb51b5f53d17
SHA1 c3b76fb254e2b2f95c646bd405f0009cfd8c914d
SHA256 a64ab4cf7a76b34eaf9efb044d38a919d2e82272ad456f239cadaf3e9b51c024
SHA512 767a0451458ccaeaace4844aa0ac9a4e793e49c619659e604e289b3479771896471b7ded9844d42756d8893901e75b56c4b4e30d37852ecef8c829d7a91c89cd

C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

MD5 4703a6f0f23be37ef3ef5039b7a60506
SHA1 9f69c3b18fee06b364669878c028a793703a776c
SHA256 ea93f72d92b5450b34785437aad8b6053135c344f21fb31b85e88339f8613f58
SHA512 96ff18ddaa97dc327377d017819753092bd5ef7018f125120f1f4a94a2d9665db09a99081b80039afc98b12c3cf588b8eb39f9fba1f74e57c9cb073e897a60c2

C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

MD5 eeda916025e42eb67b06b5cc96ada430
SHA1 f3a5b1bed80ff46668054c8d9d202580d49d3904
SHA256 2eed28016d52e1addddae12c3d02694b977dfccd96e45594313296e34c514f76
SHA512 955cf46a76c22d7036d5e288bea028291ff2c041bb98c6c859bf168d60d16643f77cf59272e5dde80628757f423307e9b56699ed18f447c1b6640aa1f04eac0f

C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

MD5 24a62f927e8d93563f521a85b6087308
SHA1 bd9fab1315cd81c866fe5116a11352b339ad28ec
SHA256 e86ce2f3f5d57fe0132f7567d594724d1b83aa405bf4e05b0ede5cb656b03f17
SHA512 fd5a73d6b3dd587f3a4a5788cc36f75a79fa511b60b05c9a8740b155b1ecb59402bfccc7faffee304b88c8b900ed6e91e829cb5d4ca750100337c1d8336e8d72

memory/4456-157-0x000000001B020000-0x000000001B032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

MD5 efd502bd8e21e2b60ba0b1636d92ef2e
SHA1 fe17e624dd4a670135a073d879e4d08c05f7b62f
SHA256 3cb02e36d526f49206b87d067a517bedde0a3e73942decf353a5a1a277322dfb
SHA512 1ce7faac04ad72ca329c9732758f25bd6ef34042bed4adc0ab426960bee8dfeef54802feadc9b0e8bc59269fce872ab4e491287141865906ac413ce44fcabb23

memory/1504-164-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

MD5 b8b718b32a2a3193eb7d931cce194c1d
SHA1 c2187734e5842eb38319428ac338414c394facae
SHA256 3d52fa3a748276bcdcdbe66c4dd600b3aed0f82a39ddcad5eb8974da450985ae
SHA512 ec8bfa2d243cd65648741fd1655db7ab78713c88745a6cb2ceacedee8711b2ffb44f5249072830386898279e5e6819241b480bfab34e76bf4b7aef584a7458d1