Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-wbqjjs1qbm
Target JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb
SHA256 9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb

Threat Level: Known bad

The file JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:45

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:45

Reported

2024-12-30 17:47

Platform

win7-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\ApplicationId\PolicyManagement\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
N/A N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\ApplicationId\PolicyManagement\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2368 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2492 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3004 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2756 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2756 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2756 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 1908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2716 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2716 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2716 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YAkRWmVbYY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\ApplicationId\PolicyManagement\smss.exe

"C:\Windows\security\ApplicationId\PolicyManagement\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3004-13-0x0000000000130000-0x0000000000240000-memory.dmp

memory/3004-14-0x0000000000270000-0x0000000000282000-memory.dmp

memory/3004-15-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3004-16-0x0000000000280000-0x000000000028C000-memory.dmp

memory/3004-17-0x0000000000410000-0x000000000041C000-memory.dmp

memory/2264-63-0x000000001B630000-0x000000001B912000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7e116134ab8dfc6c29d9f036451cbfd7
SHA1 0b9dfcb82356de77b9fe22a87189cad3bf48944d
SHA256 dfbe5678764043150a0cd8cc5db3f5d915e0fea43211f6c7ddc4c0479e445954
SHA512 7d1a0e7890fa100bc34762e604fa3386cda35dcb26dbbae82ff44fbd3faf4f479e2d40b5291f083ddcda8545248b702899b178206651ba201cc6de40bfc08d80

memory/2264-64-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YAkRWmVbYY.bat

MD5 c91b977681e6d192c029c06f82b067e7
SHA1 7253c2a6b696560667319b923a2f0a75723398d7
SHA256 8b7ea82e28ddeba1099c3a8154d86f8645b689e7e342186f07bd84e725e1fd67
SHA512 e5505d9140830d09981b72ba2e6754b8e9dc2188bd6ce04298697d747a932ceb98bdbaf1f6fd1838edad723828941071fbb366a84c1679eaeba98d0575e9c26c

memory/1248-154-0x0000000000F60000-0x0000000001070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEA51.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEA73.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

MD5 b02e127420b6ed04bc6df52824ab41f0
SHA1 42c6ee11e991ce0f9d211615afd3e80b57fea3a0
SHA256 2cc042406b0cd7a0293ba2aed3b5ea5a740017ef5635b828ed50f68f45634cdf
SHA512 f7c106bec7880b3d4f426a90045fdc9da81cc0119115110475cdd1938aed0239f07c1109d68c5bf77cd77bddae670cfe97c04c1d4b49102fb32171e15b9835c2

memory/1636-213-0x0000000000300000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 843730a6cc770eba67aae8587c87b5b2
SHA1 12a9db311979e2107f76830fc7eb104aa665c948
SHA256 aabc2fc80953306c0bcbfed78589e16238ca6c72c6c8372b478bfb04f390b2b0
SHA512 e110db50a92bc52d44ee1063f3fa6d2d083345654508eeb3a4c9f6ec4a875d9545730d277c00a2745d469bbabca1fb5c4ed1c13bbdf5c41ef06563e6f558cfe9

C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

MD5 91bf647bbd7007eb8d7d6e2035dbd243
SHA1 1feee9b7e3f8034e498d918e619ebf9cf1d4c0f1
SHA256 cb7f88b4dd72ae3da392120e4494443aac4a3f4a642e4a214bca5f74c7a6a033
SHA512 cb0f2c578e098e27394afab8b4dd916f28fc92dec769a852285b09544ca73f6198ff14c190f7bbe68c3ecfc1963cacdefa8f12e0aab5bc3a9c536c5152cf668a

memory/1908-273-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

memory/1908-274-0x00000000001D0000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a574f001c748a9b8346a955ec362768c
SHA1 555c0d5959c4be94070e26372bd782654003e2fd
SHA256 f43d91e0fc148c7f7cbfa9a034a4177cc5a12cbe96bcefb2667f8d3d59d84b9c
SHA512 59c75458344dc37a746413c3e2824e8f389f10712d2e48be3841bce6133b0b24eb64a3fd12175f59021c91e99f94ae3cd0801785a21d69c3b60dc42288c8bb49

C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

MD5 6ec90b71cb0aa1f05d71d264180a529e
SHA1 65e21bca0d38378e864f943ab7bf8b19ba444653
SHA256 ee736e85a233c71a88075d4f1a898562ecb536e031d7450fc0be122cb7e22f3b
SHA512 1efa465870c1a7cb975c3ad29f3e7c2c8405096472284afbf646e1acecea0ead3a0c49c61d9a53bfc9642cb6e679336b40352a86ee34e687965aee2685c282b3

memory/1888-334-0x00000000003A0000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d526e68802e00638024167b50fb4269b
SHA1 8108dba5221f99ab7630950e7e07a4d2fb94d0a3
SHA256 753c0ab455dd4e0d3d16b3085b90da8363e1b2e152ee71a5da24794d094abe7a
SHA512 c5e4ee7545458d6fdf0f600c0fadfa4dcb5fd77eeed297d314aa133dd211cb286f0a2f75dd0b72ad09035b0cd48bb9d9127d67534bf0aaaa730d9c5e172f7719

C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

MD5 634d76a9351e14c31b796fde65aba53f
SHA1 1b5a19ac20c1fe37a2dc1101bbfbdd55ca5d4ecf
SHA256 047fff8ce244d30902e68432cf2d1eede790c77889b6aeb6ac78a3a3f09caaee
SHA512 533d3099f1f52b4a2f3a45becfe1953833b22da44ffeb91c974091bfb1d2752405d85355b24f4078062908d3b3ea4a703b07e8672f55942ce502ce0dc0d417cf

memory/1796-394-0x0000000000110000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7a5671b885fbb212b36885f15c2f164
SHA1 5b477009255b063f9e8122e07d5c87c85da2b431
SHA256 38794bf22ed9e261e0dd800f20e824189713cce25f672e5d5d7414b66e6256fb
SHA512 3f00376f7b14f9203305b9f38f33f837eb43726701672e6b0ebe13612e8a8a2b1110cebffa3f199b2c08e444703951133628c0c5d2c153906b5831f7d18e98bd

C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

MD5 f1dc49f68868a04351965a34a5dd6140
SHA1 e62ea58c941ec3fa5668288c9176c6b9cc5c9299
SHA256 22e2d9c06df2e983ea9e549137e8a615b5febee5f7d8e8526e2edff0458152f1
SHA512 8bcd6e370b1af61cbd74c6b599485a086984f261ce63c9f59f374d8aa135419a92dd2e08f4206e424acdfb2239ffe7e04bb9307ae356d730624714ff05d9018c

memory/1592-454-0x0000000000FC0000-0x00000000010D0000-memory.dmp

memory/1592-455-0x0000000000250000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0478932949fad9bd72ccda6a42e99078
SHA1 f97a33effe66ec3d23d5a28034f9c00677d58f53
SHA256 826f2f4066a3338b15c9adc9e019a518c4ea9b0c008f051c7d6a3437810b491f
SHA512 1a2e34a921d8865206baec6c7f150812d1a182d4884d56344854093a4347497d1f7e1819c07b7bd481d7eafbc27b2b42f9985a03eeeb62814f72dda3f6c5852f

C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

MD5 892ff23822f628bc0b138b6577feb18f
SHA1 1e702a9f36eadbacbe0e1ba36e5ff3d34e7e011c
SHA256 d2916aa3db050d514c4c217c9a32e9d22a629ff94f14ed47b7aa111d86197ca2
SHA512 4998498169131ac202ec830e7c9db925c103724a528c3cb79dbbd63657b1a522bedf0c60046cc212260d857b51f5b595a4a5acbef389ac6d7ae8c085ee741eab

memory/2956-515-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1199253a33969a0fdeaf6bdec929e7ae
SHA1 92b3cc7aaea828cd261ff01baff46892fc9545a9
SHA256 2ac3bb74a1287f30e08680391564eb088649a2cc058cb6b842fa2b712b1b3d0f
SHA512 d0d6226e02620ab2c4efaccf6929538950c8e62473ee7af83c86313f98b6524eae340b457fbf255155937e33fb62a45477d83ac5069f6e293a0c099911e61667

C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

MD5 de4cfa21f10d01cc5b6c5364c5084507
SHA1 e5fe475232f5b87850ef2e3988a4eda01b910148
SHA256 f6f900211c1133df0539c0066047aa1d654ad7d53f4cd45fe4919c2ae5c955c0
SHA512 d2b9a2b7910243de1a4bb15226387b2ba48942043720b5f81b725d875af980dbe01fea0eeabc2e9d9b0cac686369be6bb066da63ed1e26d0b861cd857c80824b

memory/2288-575-0x00000000001C0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc887d65d62afdcd019ecb9e290b87ad
SHA1 31c3729d66b40477c4be0fb681a9525d34571b3a
SHA256 4eabe1891d0aabc9a74a8c368bae7b8c187d75787e8d86d649d63fa3bc47ddb5
SHA512 70491f6b26162f7bb99d3ec07800d464993b47fda35d63e6fe612ce11c2b22ab0913a4e5ac9deb9cf5cc7a2fe7f947d936aaec04bdf741d2ebc9b613f8965687

C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

MD5 ffc5df1e852e9bd0f827039607b3003f
SHA1 aa94c690aa55af2adeaaf3dd93d9754eb9a2e49f
SHA256 340beb780393fc2a6ab1fc29cd7eec78bc75775f958a0d87034228b4cfb5f9eb
SHA512 392cf6bc9f068675ac8fe1b48ad6a04aabab9d17a9851bbd5b57ce76134d841a26ea7522ef313ea3242b6bb15cef3e4ecfed7b6199cbe1ce9cd5b836dff3144b

memory/2852-635-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbe67d514efc35c4888d96d4c26bf531
SHA1 233ff6f6ee93ac5116dda42d922c7bc009c83731
SHA256 3ff5d04e54c60873370d65ff8e5c24ff5e75a68805151fa63f2649b8493b4676
SHA512 3d97054a4712b2ed2eca17038b6ccd1aa9ec852dd43e98725222f58427c248fbf936fdd82d092c3dab680e0238cf09a4b59c2fef5be88084c83eb72522dfe257

C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

MD5 5dd2400f8fe6746d170e3a9ae3d36e68
SHA1 3c67f0737395522fe8f5f798dd09cec28692ce9e
SHA256 f9a1c7b25a7774348d53f867673fbbe1d1d58256da98d8ab46a206a71f7e79e3
SHA512 1e33af2afbb7df755cfd70369a91e224f09552d590a07d36bb0e4be58d68d935e5e48eec23fd720c79d3e0557f5d9fa3847c84471c3bf3257158da5d8ada8f9c

memory/3048-695-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79e1f658948dee3e8d3696f86ea8d3d9
SHA1 2570e1b9b002f794a43504eab0efd5ff38d34602
SHA256 3efa1f5aa38bcf0d4277554191eb74d0cf55ca5e0366e489e6eba1a5824c1646
SHA512 ac8353c959d4921f83ba767c1a59b7764627a89ba44a94dc0095a722ed8929df03cf72e33f237b0a501f5140f8a8650a455f49de85185dff0a0e07aa7c40f0c7

C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

MD5 976ef28c72e8d7781fbd9edac354ca79
SHA1 56bcfb4a19cf5e03488ac6be9840c19e60e70d82
SHA256 91e900fafabd66e077b7566fd9ae1b6c426fff62b6472cd31a8fb7fbc7e0e121
SHA512 b2fccba95c83c92768b20e54087e1d6c714bc269a46d8d42f5b564f94a6d3563c1079e47c95f0e52975ad8e4d0922a77f74604004895cbedbd6a6e71fa58aa83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4ad68b1774a8bd236a7f9462f191a85
SHA1 bd0f40369ef330a08a7768d66e302a1d7c3cc239
SHA256 9997ab9718510aafb6d76b9e532a40fd3d3b8acf78e0f18060b73284d8349062
SHA512 88abad87cd136f477cb918ec978179148376ede692b71a55030be97535b25d5c2338397ccd705e37b0487dc8c604e570390419664d4eaf3eda90891038c9fe2c

C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

MD5 d734814447d1b3ee070eb5ffc551e83e
SHA1 4b8fdd0d3555f417eded18c0e4840d3a16286eee
SHA256 8f6859d20883fa6b6bbd89b95dbb419f4716e15deca2dcca5b6f084e46968b40
SHA512 7c1f69b3c9c788e336697b3efb08d6869187e1f59ac4ebc3c94ccb9c8778c9e7be53ac50044dee2e184cf80fec8c9297851fbd41377be300217f8a5edb9dc345

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:45

Reported

2024-12-30 17:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\AdvancedInstallers\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Recovery\WindowsRE\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe C:\Windows\SysWOW64\WScript.exe
PID 1888 wrote to memory of 3456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 3456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 3456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3456 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3456 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4384 wrote to memory of 4400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3272 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3272 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 2328 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 4384 wrote to memory of 2328 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\WindowsRE\cmd.exe
PID 2328 wrote to memory of 2092 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 2328 wrote to memory of 2092 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 2092 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2092 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2092 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 2092 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 2356 wrote to memory of 1752 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1752 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1752 wrote to memory of 4040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1752 wrote to memory of 4040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1752 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1752 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 2976 wrote to memory of 1012 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 1012 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1012 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1012 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1012 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1012 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4196 wrote to memory of 3220 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4196 wrote to memory of 3220 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3220 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3220 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3220 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3220 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4960 wrote to memory of 4052 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4960 wrote to memory of 4052 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4052 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4052 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4052 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4052 wrote to memory of 3224 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3224 wrote to memory of 4384 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3224 wrote to memory of 4384 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4384 wrote to memory of 4604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4384 wrote to memory of 4604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4384 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4384 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1944 wrote to memory of 4896 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 4896 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4896 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4896 wrote to memory of 1192 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 4896 wrote to memory of 1192 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 1192 wrote to memory of 3968 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 3968 N/A C:\Recovery\WindowsRE\cmd.exe C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3968 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3968 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe
PID 3968 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4384-12-0x00007FFA20193000-0x00007FFA20195000-memory.dmp

memory/4384-13-0x00000000005B0000-0x00000000006C0000-memory.dmp

memory/4384-14-0x0000000001010000-0x0000000001022000-memory.dmp

memory/4384-15-0x00000000028D0000-0x00000000028DC000-memory.dmp

memory/4384-16-0x00000000028E0000-0x00000000028EC000-memory.dmp

memory/4384-17-0x00000000028F0000-0x00000000028FC000-memory.dmp

memory/3272-34-0x000002E137A10000-0x000002E137A32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3aeozqda.45y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2328-61-0x0000000002990000-0x00000000029A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

MD5 9e6fa2b8100f574d1d7e7fb7f9b7660f
SHA1 1cc4053483621a3656918bcbdf2c6052e6f00345
SHA256 c2333573fc49042d1af06ad0ba402b1f8f7361da6aa6716e12c9d52df60175ed
SHA512 aebb52a2105748cb6c4be4fa749e63d6e56c02a76f8a19a67905ea2c6bab2093e54a1a1b2b3ffddd7a229e707e6c0194514ee52fe71995b03b89f15647fe061d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/2356-81-0x000000001BBC0000-0x000000001BD2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

MD5 8dad39976d9bd80d3bdc7696db0db76e
SHA1 2fc38e2a66b526ab9671fa3aaa643da289d547df
SHA256 b3eccf6c21497e0633795b9d9d62dc526bea4cb8554edc9e71cc2384be34ae9a
SHA512 21e7bec3ca8cbca2858c45f0e52b0ef429778c0b4ce411cf0c30c62e153fb14d2b8238ddd1a2ff8ecfd304071c287412ddcf7d8e1942944c4169e4fc2b1c1ea3

C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

MD5 73e5aed612c68b10bd61bb825e518294
SHA1 5cea2b99c811d8f7ba692df081296b1f3a8cc10f
SHA256 c4b83e1c10ed0e474e9a33c2dc9420c3db5d20ad2af230ffbe4e6833ba094ea5
SHA512 5a03a205125c72d174c248d2147220480bc66dfca98e287b635e733f0d12747826b50fd16cefc740fd15e15a3e464f51d9a70c3439cce009e7ef5268b49357c3

memory/4196-94-0x000000001C5C0000-0x000000001C72A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

MD5 2bae0e8a40ddd09553961d0c4d47f41d
SHA1 42fe270452869c4f5717e6ca9b99bd23c9e6ec21
SHA256 f2bd20482842eff5fffdf9dac2ff8deb419c7aa250cd4e89c732d1e621a71fea
SHA512 b3945ff9c64b88ed8202314917df43833e5b6e17f3358eb8857c06e208555d34a85c6cc525451795ec0af43c110b7ed874c5c8166a6d49cec88f10998475c132

memory/4960-101-0x000000001C9C0000-0x000000001CB2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

MD5 a17a7958f19a5a99aec8ae79f3eaece5
SHA1 3d5f30e453a7ced9973cdd96b9d8de6aa2923ddd
SHA256 6175238254afedf51eaef997c89884c514ee2a8765ed2f6f158106ec07cd1d53
SHA512 4874b85cdbfbbcc293051ecfd130627a2684eec78c3b8998776cc3bde3d715e60037c541467223531c387ca9ac8cb1f7d2d30504f0531e2099e934f67fcb2f14

memory/3224-108-0x000000001BE30000-0x000000001BF9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

MD5 40e99bddaff6c7a5c940942f17aaf827
SHA1 8c20e3541387696bebd2cddc1febc6bbaa63a977
SHA256 13e4f72f9500d768777f3c95479da5890a78e5e6bb38c12eabfe049ad66c94bc
SHA512 34ef69beb6474d46be34256ad90c86d67c8748505dfa7a6db6f8766e6da265447c6efb00656db68cff67bc17376a3d5beb61efbb6865ded29f7b0c976f52fdb8

memory/1944-115-0x000000001C820000-0x000000001C98A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

MD5 22a27ce474186d6c25a073ca620eda70
SHA1 dca0773ddf02e17be580759af3e26ba88fccb03a
SHA256 6b1402f3d621aaf88e72f7b617c28a9d30121d752b0b92727e9a8a28d5cfe326
SHA512 813df3da18a801e80352f68fd458acb1b17ecb8b0d958977f47133954fbd91c08892d0a474ab50578c2b84a9dd040450615a38a5388adce32f6cda2583a8ad27

C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

MD5 dd3e892c715dcd7c55e2a3537bc91d58
SHA1 a716f1c4d8e8fd2d92c7b83c6c53fc255dcaf4f1
SHA256 501f93c9e9ee1b7dda6b21166e1b41bbde447be9f578fe0fa1cd7a857fb5b6c6
SHA512 406774779d19c84048fb26cc86cf84f4783c7f10c6ebf972220ffd7949f59aa57d6a500a50737bac7ff975ae0e6d810046b243b4ac1829d068c69bc4d7fcfeb4

C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

MD5 d98ae6ae7a73f96bfc03c3eefef0242d
SHA1 bf7f1f77ffe782b22a128474e2c4e1e321ad9712
SHA256 402d0342c6c38bf373c26d785890fb36dfd1ea5dad3875ef06196d2a19fb0d91
SHA512 901e94ab7af3569e77e265b4415d23e3cecffcd0d4de4193d97ecddbdfbc77be9e8c454f1a8a309f452329300ec8511d027b77c46f4c7021f05434bcfdb0b1df

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 31463eb341eccf99b0c483e81309daab
SHA1 dacdb7a91d4e4e688d9c9aa43482cc53f3f8db3f
SHA256 43270e83d0ef877c44f8c003ae7beefc907e1101610a1c0e7877bae343ad6ba8
SHA512 57b1ef9705cc374e0b59a3d6da40add278e0d2c4da30249418f185821ede010e8e88be6f11c7864f38a5c9fad0fd59605bcfcd638a935a4d7c5a900bd2671a29

C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

MD5 d3f03040e80d0a602d04849ad0565ca2
SHA1 ee87b71f45c9ae090b103ee307c2e11b3e170ac0
SHA256 6b7dd84566ce0d104a3a8326ee9615b6138a0370995ed4f07b539fe49c153d99
SHA512 1f3fb2d0e4137f047d8a821f1bae0b6c0276e2f3fe5425a0d82572ed85209c9fffdbf62668d7ed9cea424775157fb254af2312e656ba39d5884aa92a3bee2a21