Malware Analysis Report

2025-08-05 09:04

Sample ID 241230-wafyqa1pfl
Target JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570
SHA256 78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570

Threat Level: Known bad

The file JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

DCRat payload

Process spawned unexpected child process

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:42

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:42

Reported

2024-12-30 17:45

Platform

win7-20240903-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\en-US\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ehome\en-US\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ehome\en-US\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
N/A N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 1764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 1764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 1764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 2516 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2752 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2752 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2752 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2792 wrote to memory of 1820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2496 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2496 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2496 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1360 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 2792 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 2792 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3000 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3000 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
PID 2516 wrote to memory of 2700 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 2516 wrote to memory of 2700 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 2516 wrote to memory of 2700 N/A C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2700 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2700 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2700 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\en-US\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

"C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2792-13-0x00000000001B0000-0x00000000002C0000-memory.dmp

memory/2792-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

memory/2792-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/2792-17-0x0000000000300000-0x000000000030C000-memory.dmp

memory/2792-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 339d65f6ea29571ce86e6de2d5213817
SHA1 dc2e74912ddb6c432421a8dea77168a534a481d8
SHA256 c1f83d75e7948dfbb52e828141f5d821eba26a6e83ffa002d82c047b220ad526
SHA512 d1df5644adc743bd2fa1bb6001a82b0f9a709c64c3f533cfc5f4b1f2f683caed596edad7390fa509faf09b61b07c41f7edafc40ebdca9d53e70b231c167e700e

memory/1512-88-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

memory/1820-81-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/1820-80-0x000000001B7B0000-0x000000001BA92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D62.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1D75.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

MD5 0a2e74d51672342ff07dea9175bbf7ac
SHA1 a322d72142cf69b1b641f8961730db210c7dc046
SHA256 f4e04e63d2487753647b86b336179d24224e391005031afe2d6e7bb9c17a2ca9
SHA512 87f721ea206e6bb15fa6167192906a5bf9d2af70faeaaeb6102944d412958c65685c1ced96e78fc99e5d764fe0a9b1313419faedcda08a44124e37b7601d2e12

memory/2516-158-0x00000000001D0000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45b8acda59bde907bfe60e266b78a6af
SHA1 1e731a3101035d8d0ce1c6bcf6fbfa079f48af67
SHA256 2ea054a873505487f80481ca392000557ac0a6a47a4a25c56f1bb94cba90604c
SHA512 cf2474996e9c521917a212b39b6ce8dcae69a1a5fcf743a0b11886ad32abcb70f78fccb5ada51dcc7180f773cb643d565282427ec63381ebfd7b959771cb4526

C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

MD5 1fc54f8437627cb6c2930e2cdfa9b26b
SHA1 44fbd25a80051307b7422fd1e3b5493fb9c11654
SHA256 891f7303f4ded280e62c17d607597d783a0ec7143f9557c991ee0e57c326de53
SHA512 c7d259c8ef820b483cfdf78aa96a50cd7cb4c973959df2363465547aab40ffc602e0f2956992c689d5389fc19d7d7436a468a45a72e2bf604a591184d575fd07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f42a576e813f5264db39f1a964abbeb
SHA1 06fcb317d99c0805208cca1c473abbef9363d1fe
SHA256 80e931f2d428c4d7622503b754d256eed5dd047d0911c0e7905c7e7f9427aa22
SHA512 ed1317336d68df8036a949c7b51980723d3156f640d1713acdacf8858304ca80ebf8c0a993d738033db65a9dbe4430ebbf9d11d592c4bfeacd286a361a5c60dc

C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

MD5 d541fc1a34c6127a06de8ea6153bbfe1
SHA1 4799ae833ee2025b94dba43677288865f1b6d183
SHA256 ba9041dff1e5ba555ce6ec695d300e3bcde2d75cefae30cbd1b6159c777d8bf9
SHA512 25a90f1446875f15c7018c656a1f1b27dda3c3931502550812447048c738716408e86ab7b73110b1682b8758b39f2216215e676da8b2b9bc6561b270096f7011

memory/2308-277-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbe0c664143a6028b09c4d8e964ddf86
SHA1 9d4ab07cbae7b8162a98f8261f417d3d095d3f2f
SHA256 9dd8ca1a013238bd46759befb7a8f57d36f56759ed49c691ed36e318ef009a18
SHA512 6fc1c0d11470b535b838211fc8e83809f9b9ec11c7d3c1f4a07e20b8a8ff153bcc914cea639c90833409bcf38e38c6a20c7ac04fd7682834b1989c8dfbc9ee86

C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

MD5 d42b24331e3f8087773b346993d942be
SHA1 d91abb4d37d26ee16518a33d85fc0d28b09de465
SHA256 f6eb381212e53244a410551ffd5bb64482ce1fd3b6952057a5d110196e994088
SHA512 79e1d2b254850251dce3b636db151f4641bbd096ffd457a573fe1c40071eaf5304786767cb9ed73a6d1bdb0c46c9acaf3b296c67ce0dc0b3268cd4862de9e910

memory/1012-337-0x0000000000160000-0x0000000000270000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0aa6a6250d0427530d3777c31d8881cd
SHA1 f3b0f9b0a0147d842ef5940abd07caeb837a0d09
SHA256 b1087a9c8536c16c04836704e0188ff30c2b75f2100df7eebf07075bd90fdf9d
SHA512 dd336c7c8179b07e3e8daa57e952bbf1904b5585814bfeead0104dac91ad2ff9f6c086025ac61a0090c1943ee90ea9e14d872aabafde0a64a37804e6b5f6f5d1

C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

MD5 18b9dabec10535f3eb491a100d6aa501
SHA1 ffd8712a2f6f87833883eb898d827c7b89a82688
SHA256 a88b78bf46254d25fac336563d5759fb3dff54e223cb2890d95721f852cfe4ba
SHA512 d2e08d7c4823a4deabdd44903d35032617d7a0a3113ceefdf06f6e4ddfbfa98bfad80548fa359a27250e151fdc7a1ddf2509ed477a5681f9f2e56ffa1f802a58

memory/1812-397-0x0000000000990000-0x0000000000AA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62ed3a4fe4c475a245e41a8b1ff9203d
SHA1 1ea08a90a42c4234ee7a6eea07a27c9362619a8e
SHA256 ccf6ac7c4231e45d8f9a1018f8fa21c70295151597d06baee7dd3d8793da44d1
SHA512 7dbd1fe48bec3ae28c4aa27316131a5de3258f3dddb06759ee7bffbc241a93ae210e766a7d46e91e83014a85847a3415e9cc1efdd9ee02eba741cdb622fd2f52

C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

MD5 726115176e44d5d0f6ad1db3b0210c99
SHA1 3ac250d016d31342846a9b750f180cbdb7f05450
SHA256 55833b8ae603c8c8c2a0ffed04198f4cdc029a9a28524ef89c6b7d3062dbcd1b
SHA512 0cd059c4b4c43d7335ccee8e1ad2a32109d40f7655beb7321f80311f66d643e4b3b96a2b91e2f5a8530d8809a12616d22746474406677a4a5aa9a5ca586c65ee

memory/1672-457-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32b3f1876075192fb6ed777bad9344f2
SHA1 e82f7ba55a7dfaeb78f16c1f44bc459bddbcaa6a
SHA256 f6f1cf950227ab4ac47dd4ff2e684c86b8cfcac05e2868e2e1771494975e9960
SHA512 a649a97e3acbcfc56e9313676e2a2a61142e00c7e4b56015897f14aaa429cd42731adc1fe6c5291196b6136f6068331c6d8abe328b4b59146acd7b066b6c5fe7

C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

MD5 10bb990532af52a999bd9766192ca854
SHA1 aa88d7ff6b1034a1bdcdd3bd208e962327180d09
SHA256 cb040f86f85da58bb8aa572984baf57aa4f8b52ce8c3ad21e86c2c2928efe5eb
SHA512 a58413708ce3f30b01881c35b2665ff4f0c489947ed3edce8ab4c2c6ec6fef86d5d07bb0fe4783c5477c3bb7c7317bb1962b7e9d85922ee57613dd7fe5c3341a

memory/928-517-0x0000000000020000-0x0000000000130000-memory.dmp

memory/928-518-0x0000000001F00000-0x0000000001F12000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c083f0023308b5b20e1d0aee6c4c51a
SHA1 7a2c3d27b4e69c0aa2b5644a0c9a85362788e6d8
SHA256 037d5355d6c4fb991e7407b82b637af250ffd29ef7c2e93f60be6fd2720afedc
SHA512 7f96b522940e2d55dff6cb9cf46ffa9e8810ef8ca2a2c896b33388dc0c26dbb80239341ec300e926362278e1e9e9fee6230797c90cb3c1e44d7c82a5418d9055

C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

MD5 aa8046e4ac391f541ff855e465a92942
SHA1 7ac44f42abd707ffa19fd5cf1f591d46b356d702
SHA256 f953093acb717d351785b02008911143f9e6c43e90a3b407d1b82f2de1ae1057
SHA512 dabd26f78f7bac17c00fba6592c4e9816f0a0ae025439e4cc2a93d3d92513ac3705f2e4873f970d9f7105565a55b9ba4afe810cebb6e2c8afcb2a6f478c76382

memory/1788-578-0x0000000001390000-0x00000000014A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38070efd742d40025aea1921246f9a2e
SHA1 5fb675eb41815b0e2d2422144ca5f4a002fc6c3d
SHA256 1f144a4310775a73b9c999a1ce1cae4301df2e094cdf8dd6f3fec707a703842d
SHA512 edf573b0c94ef5c8dbd6ce50b8873d5ad2040e2ddb0e99d5d04f68d3994ee9210ae79a9be47a6630dc44daf1729c26bc44149e5c0464342daf9c07bde4fc2af4

C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

MD5 e9ae1268e0db3a6cbe51ca18c288559a
SHA1 a3863559b3b47c5af4152f7d7e41d2d2b003cfbe
SHA256 2a71ff69ff8d6436585560875c5e3169c05440a6e451002850faece368771411
SHA512 03d7c0e2c2dffc54df95693f0110edc7a408f204686f6677a3375b78b10e7f883c2baae08fdea98a967c8b43791b76a3808b3c6fc3d1799f6b76664919aea19f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 217083727a2c06867abef7701585fd7c
SHA1 a653c4d68ed8586e318b60e178875b3d22fd3f5c
SHA256 fcbcbbfb6bfc84565fcd5bbead535474cbc99d08898a579ce065f8931db315d0
SHA512 4c26634fbeca38c4faac1e4dc622b2893680628c047f717caf4081d11d412e3ea372ec689b742579417d6082b8f6dc917c44f78532c28f743c3137fb8e71bcfa

C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

MD5 328e8728b42f7be60a5eaf80db11b64e
SHA1 cf0c0565512abe51f97f4aa2ea4a354b89734a25
SHA256 292925037800de154e6c2d3549350f6c5872af071483188007f3d632f76c2989
SHA512 2833bf6c492bc960571f6030ace4139b950d3249fcae763e6a3739a1aa6d8d68f745a87426de399f5fb847a533eb83e4744483b9f238268f0f7e3d43b44c770a

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:42

Reported

2024-12-30 17:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\Registry.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ee2ad38f3d4382 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech_OneCore\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Speech_OneCore\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SoftwareDistribution\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SoftwareDistribution\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 3680 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 3680 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe C:\Windows\SysWOW64\WScript.exe
PID 3504 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3504 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3504 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2308 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4020 wrote to memory of 4472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3468 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 1528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 1528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4132 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4132 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3984 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3984 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4828 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4828 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2212 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2212 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3628 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3628 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3712 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 4020 wrote to memory of 3712 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 3712 wrote to memory of 5604 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 3712 wrote to memory of 5604 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 5604 wrote to memory of 5660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5604 wrote to memory of 5660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5604 wrote to memory of 5948 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 5604 wrote to memory of 5948 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 5948 wrote to memory of 6124 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 5948 wrote to memory of 6124 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 6124 wrote to memory of 452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6124 wrote to memory of 452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6124 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 6124 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 3716 wrote to memory of 1580 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 3716 wrote to memory of 1580 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 1580 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1580 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1580 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 1580 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
PID 4816 wrote to memory of 2564 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe
PID 4816 wrote to memory of 2564 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Documents\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\Idle.exe'

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4020-12-0x00007FF9F5393000-0x00007FF9F5395000-memory.dmp

memory/4020-13-0x0000000000A00000-0x0000000000B10000-memory.dmp

memory/4020-14-0x00000000012D0000-0x00000000012E2000-memory.dmp

memory/4020-15-0x0000000001410000-0x000000000141C000-memory.dmp

memory/4020-16-0x00000000013F0000-0x00000000013FC000-memory.dmp

memory/4020-17-0x0000000001400000-0x000000000140C000-memory.dmp

memory/836-70-0x000001A9E9A10000-0x000001A9E9A32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilddluqy.pes.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3712-108-0x000000001D310000-0x000000001D322000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

MD5 2b66e567fa9c00e626a71732ad1fe6b2
SHA1 979a313700aaac7f1326e66b4785708a08302a1c
SHA256 0aec457dfeb0eacbbf5c1fc9f09a2e7bc5e148e78dd537089d9b54715a0ef670
SHA512 21f6addf82b2b236f3cd210135f68de1ddba4d3ef60adfc74b4af950ad43f5b65acc639deb741bca128304c388ec9535a5a7b6899827461ba7b96f77eeefb16c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

MD5 14189eadefc52f3870ad3a8230626090
SHA1 5afe2233970df9992c778e8c306b14324dccc041
SHA256 3d4fdfcb8174123614246ef177d93d5f4396703e4d8a604e3d8df5bb9caa2a57
SHA512 3e2bc631e2cf6c4a422ce5fd615d201082066fd04b7ffe064e648d5dc7ae8f7843a6661828450deafdefb52861db4c8b55c013b642db08ffec0feb846dd901e4

C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

MD5 e7760e87969f032723b3d10f83995740
SHA1 13d25952c414226ef0dfa87808b34b18b424cf6a
SHA256 dea6912370d58977f853d0115618a439e393122e9a4ae63dd1c400daf0683982
SHA512 40b2ddf5faeb0ef2a580f71622b82c6e2b7274c2fa9c10c6f5395bf55e3ca33af8f8caf3aa2ec988c962daa81c7e7b70c8d745f4447d6105ef1471cfeebb8458

memory/4816-271-0x000000001B9F0000-0x000000001BA02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

MD5 bfd265c2ca3500cc56ab835812d6d403
SHA1 7827c0af3261f1ddd028d06f3917530c3ec2ecd4
SHA256 578f5c588b918911f6e0a67a50500ee6d2ea0413de6356c3099d32db0b4b191e
SHA512 b6dfbbfcf747f0635d320e9a0bf3a7553757e27b8b6c0f6049b93d633b2c3ebe1c46f379f5c9961a549eb0c4728200fb0e7f3b26cf7995b656c1478a083d62a2

C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

MD5 9dc72ec6d1ae801c888c398cd31a234c
SHA1 4770082ce4db4bf760e4d8fb098c0d7b417d9f39
SHA256 18363d55cd02faf1ba57f7339220e7682b155ee4d7fbcd314de1fb507847cb72
SHA512 3ea1d9cce380297e9dd1c69626e613e8ba48edbc9e629a904073ea691cebb011e06236c7dd5635f21e851acfb264f8acc8e0ab69bc8f59ab059f7701a75ef239

C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

MD5 a08b0b8f8195113cd5fd6ca679ba8e93
SHA1 f321afc15765410b495dec0fb54e6c4e26f872d6
SHA256 a4bd7b34a3d1b76054d2de7154d93ee19dff70b7e63bc9fbf62b9c8cfcfd47cd
SHA512 71c70a992d469f55a6f1c51e5080037da739507be8f153c172a63d495e3b0f7d85a9cb110e389cbb0cd3e958b5797e9f8b3652d7c7c1bdfc6c6ed0f31e775c4d

C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

MD5 6df39eb8b14d09b57731009a9fac60f2
SHA1 68de752141c0a6b65dc325f87a3bfc8c0affd963
SHA256 b71fccd7fb192cb1515bf9751b769ea5f61dde25f6c09df949f7dd04176987ae
SHA512 507a2db0c6a99b5bafbfe8464c0cfcd6a0f3709c0928e3343482e65b726192636986b1bf9516e7b5232ef4b44488deefcf3d96e7cde80c4b5257e9372849edd3

memory/5528-296-0x000000001B9F0000-0x000000001BA02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

MD5 b406288cee92b5e0eeed863124558f28
SHA1 def6858e781536a126e4c8a9c3fd97a804c580b4
SHA256 d5aa406fcc5a115705586982ee0534f08225fd11b1b2b83f282e5b69ee38fbac
SHA512 71ad753dc6745076bf04fb586cef7576b656965b05d1e9daec874fc349f1c6338b342028992191d2e83b6ec8a33fa0980034ebc4bbd97b92db70b5e52dd65fec

C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

MD5 452035c571ae9a4815b595d6e6435d80
SHA1 3974fb46970aac81fcf17ff99d4714df5d1432d2
SHA256 95de8db52b6393e5fd5adc81c8f5328edf9fcbab58508e4fa601e9ad8ab9387f
SHA512 214cfff5e2c097fadb15aeb3cb7294885037fef870b65bcac5dfeb18a83530cdba4156ddaa77ef906b9f6bbeb0ad1d99fd2e199549e67a70a6bdd12c416d567e

C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

MD5 b80587a7b320fb727774a48879bcfead
SHA1 1ebadc705612f330c03bb05f05982e8bb4792318
SHA256 1a6ee64c1cff3da0c182c073eda859c63035a2cce23e2d1a1667ae433671522f
SHA512 8ae4ed2668f522cc2b894fd5f31806f895e0b6d9bbe94482efd8dc446039900987ea6f71f4e987b86d4bd5f8b6df1cddeb480cb12fa3638e8da187fbb98f732d

C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

MD5 490d2396ef7b2763785a7f858d93d444
SHA1 aed7e7cb0b30f35e9f20223f4109c6f6a450e936
SHA256 f3c73dd3d5476de0993e43ed326108ac51c879b466cfc074a6174ed83798828c
SHA512 bbb9a2f7829c0e6b6a6f8e3aa16cb644ebfefde650d38a6bbb1af6a799483fa6f57218dbd2e8c5871c6459ee5a8eb5e9a1a5385c40df3955db14215f9a75258a

C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

MD5 8c1bea0f5539e168571dd508d6a14810
SHA1 1f4df3bf91a4b170c589948005212a89d58e7df8
SHA256 4728dc388c930e697c0454adace9f29496142c86190ef7517e4ec22a22ece20c
SHA512 a65561050718b850ffc3d39cd8461f9ced9e5d473e11f85b4711781f3986d2c13179f3be06e4fd6d5c184a2447653f889ce8e1b8cb04af83c2d5d33e94974ed0