Malware Analysis Report

2025-08-05 09:06

Sample ID 241230-vyvw4s1lbm
Target JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5
SHA256 1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5

Threat Level: Known bad

The file JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:24

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:24

Reported

2024-12-30 17:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Uninstall Information\1610b97d3ab4a7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\en-US\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\L2Schemas\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppPatch\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\en-US\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppPatch\lsass.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A
N/A N/A C:\providercommon\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2392 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2392 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2392 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2728 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 2728 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 2728 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 1148 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1744 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1744 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1744 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 752 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 752 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 752 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\lsass.exe'

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\providercommon\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\Transliteration\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\sppsvc.exe

"C:\providercommon\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2728-13-0x00000000008E0000-0x00000000009F0000-memory.dmp

memory/2728-14-0x0000000000440000-0x0000000000452000-memory.dmp

memory/2728-15-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2728-16-0x0000000000450000-0x000000000045C000-memory.dmp

memory/2728-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/1664-43-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 44169ab3e082f1fb1ac42110fe4bfac3
SHA1 9bbbcca132a149101b4db99cf18281089dad8d62
SHA256 9be34b50756cd1bdd321e86c49f86ef43215cf3fd3abac122f11780dd80a37f5
SHA512 95a96a70bc6ad20d5b3fe978863905419df899c2d15ea98bf951985bec4b809d7c070c4dff63e79da0305778b3efbc67e92b7b56ba1c8757e8a3db84ad2f8618

memory/1664-44-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/1148-47-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/1744-110-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/1744-120-0x0000000002970000-0x0000000002978000-memory.dmp

memory/2764-121-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Cab238A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar23AC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

MD5 3366c8956d59feae20b754e1fb52fbc0
SHA1 23cd963f4cf98062e43d926c5f4d87e7ed3e5ea3
SHA256 a2254072bd649bdf4b5fbd3fab5e4d16eaa4327a0d4d4e04857e6f334e38e372
SHA512 ea82d3ca2b19cf51a220e911678571a175b4ff15fa80c3c00c24b74851291817c27444926a2cea4cd4cb4643f733520f0f86fa1b660fe0802fd925cf25443d9d

memory/380-267-0x00000000012A0000-0x00000000013B0000-memory.dmp

memory/380-268-0x00000000003D0000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f576e030ccae42f80ac35a63df4e01
SHA1 1fb75b1e24371c14d8fa7d14853117327fc90cca
SHA256 a7ce4bc71c17e072fa07c128f9cb04ad18caa07f3b7bea47bed5a1e3ba08e8b7
SHA512 3a1bf816a7c83e3ba9bc54b65183eed98e05b490137979d1bd794ffca4d7d25121d4beeaed3d5ab8a1df9ed595e78983103b1e6e9d9c5aeda6bf568f9e2d089e

C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

MD5 ed8b7cd993c11d233df8e2c3fec43031
SHA1 1f7212c7e717f127d1ea5f7a91b243070c2ea076
SHA256 91dd3a5e5b5ba3e38d3526b2edf2c2e9e421c4895baaa52afc0f7d0b5e480641
SHA512 690f3c857c998279ad48d60ef359c303ae3fa2c06bd6a38f1421f3f7511976fa3a29e3bab9ae3a6f018a4fa1011487315ebfe0be7bb9a7757395c11f2324c396

memory/2420-328-0x00000000000E0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3717d9fdd02be55dc0228a750c045635
SHA1 224a86b48c039cb139897d6c77e5efe545085c2f
SHA256 8aa1012edda648e640e05e171ccf8e9bd67c1aa520090ccb93a9f2df8fcd0f72
SHA512 bbee23cda95db9846dc1f7e7109f88413c8bf7fd95d62e934771de2dd908b6612471f21bc98f0ebf6005a099c77e8908f02fe03ef1db0d3ac2191ec78e7329f3

C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

MD5 8e3e7fb486cff57b284212a3a07bf28e
SHA1 955af45ff73bc1e93901c2dae411f7f788366328
SHA256 5d442a14e5422c8c127570696be0bbac679269752b8fb1a7cea6412b91a1d15b
SHA512 e2885c7f0cc9f6753ec1d3445888e9fd0a7fcfdb9a2bf2a87d21355dd462338e024f07bb6110cf85b5665fe7947069cf1effa3d9891b616c2fdc288cd363a60b

memory/1700-388-0x0000000000A30000-0x0000000000B40000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42d54950f5c8beaffbfe5633576458b8
SHA1 5d063f16ae910d9332ee032411c50592f77b657c
SHA256 693956c56f9840fb0b64249d751b45bc4739c633ebd9e0fb4bd4baa22039a1c7
SHA512 e2b7c14bf0f4accf5e2df5dfeff07639ae351a245071da7ccd82c321f8ce9a55fffbf326ca16f9bd0fad621074188d81033a82004a7e785509b1db609b447e57

C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

MD5 14f3796310b19a102cbae1d3e17be8cb
SHA1 529f075232ce79da80f3caeb980c003b857471a3
SHA256 938561c7b58a22e81490850a4630006ccb58821f4a8e44e7815be5bb60194263
SHA512 6f302706740ad83b877df1c759f1454c1b8f03850e509c0c399b8e03ca4c03866f95d58fbd083192c97ccaaeb87cffef5d83473960bbf93737da004fa7042485

memory/2008-448-0x0000000001000000-0x0000000001110000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee78d1ef7ef223e322f8f2a5f0bd3618
SHA1 27bdb9d5cda245a642b3d8a1935108f773b7dd6f
SHA256 ec12ddfed6e7ee631462b2f5b73ea2c6ca061563807172a333bc3955b62760b8
SHA512 72288319a0c995b9b8879ef81e90b8b5bc8cee6096fef75371dd79f5b20e843658290a84ed66998032a592a3350bb18484823ab2dd4c0691fd48eb8a7e845ff4

C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

MD5 9bd0cdcbfd590a77014ab58e76cee8e0
SHA1 79f90e09fa1222b959cd937b736d19e881f84a6b
SHA256 86a95655c51b810052e7d7fbfba61d8983845952f5c3ee3beebabdcc3d85b274
SHA512 1b117c7509dc2bcb4f80362f7a3cf1a78c2eb360ecc99b1928950978b461232127d4520831c607560598dfdae1a431c135eb242d3fade672d5f215e22c809798

memory/1888-508-0x00000000003D0000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4472cd57568b1ffbceddd3be2234150b
SHA1 43603d46bce555a686232f685080fc9ea0b6dd99
SHA256 644524200d451baf3fe52747bd0f41616ad3b15746528350e44093a75c8741f8
SHA512 c24ec27fbfee6c8825bb5d814282dd1b044fa8cc5516b1bdfe9b2158db66376552dbd3ed3cf68a26d7c492bf810e2ac384c29e316c0a8642575abec81908766b

C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

MD5 473f42d4ad5c78cacea804992e0b8e4d
SHA1 ca915f8936b0e54aba10f267187424a7f4b3e6dc
SHA256 4b186e337167375e738d0f99315e3cca491eff651f9daa9abb8639a3b8a065c9
SHA512 6acbf87850a048fbe6970bacce0eff2ae534d52d21c1463d6a2e33028befee337682e1f107a82658ca7dabc27a52ad5c33a7ebe1b0ae5c4d9686fe2c67081537

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d6d3981ba24f4914ac82c16449d68b1
SHA1 99f8276c96a7998ef41b8199e8dd11f619384858
SHA256 6089a07ad784a68d18233431ce7e259751b4e6fc134015ac7677becfef81f52b
SHA512 a0a783af4480133ad1cd9bfcfbfd9128dc3fffcd8e8ca98c1114c99b247ea3015bd7714c9dac4bc8cf5a82d078a2c099db8caa799bb08f201a707a9fcdd9db85

C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat

MD5 b0e08fb13eb0289cafc10eab35a7d03f
SHA1 5299646c79a41fff116c4ce60960f795e3a3dc02
SHA256 b357ca17e7e1f402751a8325fd106ea318f0b5d80ad30805a0094fef801fedfa
SHA512 b6b24a68cfad7f561dce85730fdc4ff573e69ea4b9cbe5c33ccf645aa0b9bbb620f5529a6793d94d6856ee58f85e81d1f37f8363da41644772bdc1edb05b43a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:24

Reported

2024-12-30 17:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Uninstall Information\TextInputHost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Common Files\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\TextInputHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\22eafd247d37c3 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Uninstall Information\TextInputHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\TextInputHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe C:\Windows\SysWOW64\WScript.exe
PID 3196 wrote to memory of 2540 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2540 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2540 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2540 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3188 wrote to memory of 4052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 1608 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 1608 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 1164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 1164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 3740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 3740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4224 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4224 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 3188 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 4924 wrote to memory of 4916 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 4924 wrote to memory of 4916 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 4916 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4916 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4916 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 4916 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 3092 wrote to memory of 3576 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 3092 wrote to memory of 3576 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 3576 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3576 wrote to memory of 2448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3576 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 3576 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 1916 wrote to memory of 4988 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 1916 wrote to memory of 4988 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 4988 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4988 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4988 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 4988 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 3560 wrote to memory of 716 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 3560 wrote to memory of 716 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 716 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 716 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 716 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 716 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 5036 wrote to memory of 3812 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 5036 wrote to memory of 3812 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 3812 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3812 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3812 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 3812 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 1712 wrote to memory of 1160 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 1712 wrote to memory of 1160 N/A C:\Program Files\Uninstall Information\TextInputHost.exe C:\Windows\System32\cmd.exe
PID 1160 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1160 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1160 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe
PID 1160 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Program Files\Uninstall Information\TextInputHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\TextInputHost.exe

"C:\Program Files\Uninstall Information\TextInputHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3188-12-0x00007FFDC3863000-0x00007FFDC3865000-memory.dmp

memory/3188-13-0x0000000000600000-0x0000000000710000-memory.dmp

memory/3188-14-0x0000000002820000-0x0000000002832000-memory.dmp

memory/3188-15-0x0000000002840000-0x000000000284C000-memory.dmp

memory/3188-16-0x0000000002830000-0x000000000283C000-memory.dmp

memory/3188-17-0x0000000002850000-0x000000000285C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vstex24f.hsq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1164-68-0x0000020C44D30000-0x0000020C44D52000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

MD5 e94c690a08aba064148adb145ebdac09
SHA1 ed895b9dcf3f5ecd9b7f54c3048da80dbaba8722
SHA256 81905193fb00c43d57f21c604c6845cbed731365b1502b93fde3429ad5ee793f
SHA512 0cc2a5eeed1aceb2ffdf08737647cac4b06aca395e26ea7d354999d6fef7642eea4e4e4df765a09a3339e5634df313078a42c099cabec5386711a02c95742dff

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3092-152-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

MD5 37e712d16daa1eefd155d8f3eec75800
SHA1 812a5f4c73498386e621f056a5b3ebc4be84f084
SHA256 a37744c6153f7f9ea1b0e12af08bd7972634855602a73df807ada943a9141df2
SHA512 2c0eceb316161f5af090990301ed1cc23e7e3ebdf557b897dcf9dc4755eff87d8929cde4adf16818a910f2c633b639f92ccd55c883d710ee715ecb7f4b53a89e

memory/1916-159-0x0000000002310000-0x0000000002322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

MD5 0144ab8c39b114a4a0ce83f9824b7d69
SHA1 39ac61d0bb8c072b1b4b65690a28f98d74b3c09d
SHA256 75b4400420d3f1f45dfbf479651ce5b40ce06bdf776f775fcbe58a7d9941df7b
SHA512 980166e40f4118025afc7bf0a7d7f4b398ae688d09c91bf310f8366db25878d08a6bf8361ff7f2d196283f64f09b44ea6922a3abd4075ca4ab3464e3515dc3d7

C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

MD5 499eaf617ff1a3e6b3e7dc0ebc10b0f0
SHA1 a257e4388bbca80a4f8529a735b1cc060929132f
SHA256 456ab22de454b63cb3c67c9a565f8b15cc0592ddd24a1570cdc46603965c42bf
SHA512 ab7432bce8a78443c46142bb9a232b2cff9c8cab9122a513e1e5e8a976b744b8b5b346b52446cfb7af212bf45d31c683c22d1306afbf02d6bf8717b0b1915b3b

C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

MD5 5f6d1f0731f072edf5be2504b5173fd9
SHA1 7a96e8117e9241e938a9caa33b19a923ff21e15a
SHA256 9530df2ffad9e9c61692e41ee15d48e30847476eca76c531451a9594e0f60c81
SHA512 cbbe97c8a1e8ccd9603d21539d6ca785e2777a568cf73483ee861a5cbc12d936a9891648e238783e7beeaa4732a8b5103a5b10285e37d3bb3ec716d43b8df0e7

memory/1712-178-0x0000000000C80000-0x0000000000C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

MD5 2846451d2206df14befc939becdabe6e
SHA1 77942843137a677d633b81c43744180099119c90
SHA256 2aee9ec5d38d0232f3dc7ea3a60094e9a83f0a844a5aebc430b32bbdebfb652e
SHA512 2b4bc2dcfd2a0348a361094b212906a5518d963c331a229c57e60dc1038f98986db5e2374020367aaa21dc4a3d4dfa1c80781591863c3394f8a0b07b5864669d

C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

MD5 548872ae535a40ff7de52b1e38b83ca6
SHA1 038913bfdc8be7abe28f37c0232bc35a5c159db9
SHA256 e66298f30e43a460e7467cedef27e02f53951051941169f1dc265c865c82cc65
SHA512 d5803afac118e0f4484ced92895b4e5d6b4c02ba1a2366bcc3030784227ec2b3595b8b7c6c78bb35e7e025581a98c4e4f20f37f58911b7ef51983f8350b64702

C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

MD5 a38767a567b38700c6b1a0c298e771ed
SHA1 d926732d6ab7e8224c1f4a8741f0e4d5ad5ae2c8
SHA256 52cd3b6fd01f9f4b770adad6f02a36a3d8fbd5600c9c201a877956eb694c02f7
SHA512 dc80c21bc33ba528c15c5236723b35d14b6a775787aa61043e2375ffa5d3eb040fd9ba8fbde5e33841b847e5ba45edfeab4b4669fb3b9346d5703ba5b43ce650

C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

MD5 acd985db65ea1d84219ea9512a6be827
SHA1 47ea92a1819b6241048eb248355c31eeb7633bb5
SHA256 b7f0d9b8135f4c450aa269b6c75d7bc39aa986b1f4622059847fcb31e22e124c
SHA512 1dba068b1026c8b6a809eddf483f45deb4e6de1ef42d65fe6d0ccb90c707c09870dd12c2a87b50d3ee3f680fc23a886216f00ee76832780cce15e97d19e48134

C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

MD5 c62be8c9d419a332e981a09dfd262f05
SHA1 3f3dc12e90268e059d40ad9457f626f6ddf38551
SHA256 2c582918ab3f85a51731af0f67e2753d744e2de31cb791bb03179307d376583d
SHA512 8fcff9cf9c7847affb693f40c644fe66d13d1582a347b7ff175fe042f1966ccb27f8cb3f9cd2ab8f70b0862b96df5e8592490a75543c694c0a5d218958ab9921

C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

MD5 fe2da22800e7aefccd7464914d6a77a8
SHA1 69c9e8ac6d70cc42c55b1ac3cae53e004e755330
SHA256 bb0d6a67a5b92ffa37711d1383834929ae54813199da1c948b29a13cf4da9ad3
SHA512 2470dc8f330c82e8e50a9ae15671f593c8f892259e98562d5f2615e1e26f358d681d9a8b1658bacb5c6d24aba7ffb19387a8f2d9859e7a2f723e2b1a9bb6ee09

memory/1060-215-0x0000000001900000-0x0000000001912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

MD5 24bf520ad0af663d113da0e99cf54258
SHA1 76eaf111ac90c1dc0a641e511948f04a11badb57
SHA256 6e16c73050566aebb943ff265d6c5a751076f99e93976fc1e0e849e71543113b
SHA512 6383473b5c0cf62f459692af3d9fa1c011852a33b68615170ceedb1c9e610696b39e237b579d61829d18743d886de50f956154cb4ccdefcfd1b0106dd5016aea