Malware Analysis Report

2025-08-05 09:03

Sample ID 241230-ybjgcavphq
Target JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188
SHA256 6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188

Threat Level: Known bad

The file JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 19:36

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 19:36

Reported

2024-12-30 19:39

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\OSPPSVC.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\1610b97d3ab4a7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Uninstall Information\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Uninstall Information\Idle.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
N/A N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 2428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 2428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 2428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 2256 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2088 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2088 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2088 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2704 wrote to memory of 1516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1364 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1364 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1364 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2704 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2704 wrote to memory of 2988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2988 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 2988 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 2988 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 2684 wrote to memory of 1128 N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe C:\Windows\System32\cmd.exe
PID 2684 wrote to memory of 1128 N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe C:\Windows\System32\cmd.exe
PID 2684 wrote to memory of 1128 N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe C:\Windows\System32\cmd.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1128 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 1128 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 1128 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
PID 2652 wrote to memory of 656 N/A C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tF0Pk8ddI5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe

"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2704-13-0x00000000013C0000-0x00000000014D0000-memory.dmp

memory/2704-14-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2704-15-0x0000000000350000-0x000000000035C000-memory.dmp

memory/2704-16-0x0000000000160000-0x000000000016C000-memory.dmp

memory/2704-17-0x0000000000550000-0x000000000055C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 affbc0e6f923b67b278b87a79b2473cf
SHA1 a14362d95299cf334ac07c8fe3ebc531cf7bae47
SHA256 4948cffbfec96fd8b4090522ba5e878550866e68b084ffbc5ca056d8e736c315
SHA512 98f4e3f1931cda32a23ec0ccdfbaf762e872b708e3fb434f04f73868c29a5a12b98a508a69e1114079f47f0d4c02c6fd61580d830e7a3a70bc98b55340f4159f

memory/1516-52-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/1516-51-0x000000001B550000-0x000000001B832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tF0Pk8ddI5.bat

MD5 a608bf029c6173e8b6c78cbcc28e2491
SHA1 e5f26b4cfe1a69ae2c13e834a45ef2cd0da5c245
SHA256 e2536cfd484b79b72adc6ef8c16ceef4d15605c11a32eaefd223c75a153edd2e
SHA512 991c4ddd1ac33cc186faf711672e785ca61f051d224e61bb0f6b316a593b308c06cd6a77d0ae899020d40cda2370ea7d8b179bdd79d7583cd7a57e627ad46d84

memory/2684-101-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF865.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF887.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

MD5 7902d54b3619f7249f588f2fa56f0799
SHA1 77151382efea2735ab7b514703a23c9b603c6ec9
SHA256 69be0fb7cfc653467656eccec9636229c72e87ed3a5ec934ba5a55e2c499ee7b
SHA512 d69ddb810135d43a603161a20765d17d2116524fbbb3a38817e24d0f14cb336788cedefe16abc60bbbbb29f022765a3680a7653b9993c8d94cd0c7253a850e1c

memory/2652-160-0x0000000000F00000-0x0000000001010000-memory.dmp

memory/2652-161-0x0000000000540000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 584086fdf356051de3cb2d0c89661581
SHA1 5c41d1fcd6d2b535e9b5640fce9ec3ef67fc6209
SHA256 efeae8cb2738a383e34e9c3619a01ca007b57f5e2b469d928e2437339ce8b49c
SHA512 b2be492ecc38e3019b2c5c20fa508532293bdfafcb270b99aa14e3f3e10452d52441a103b50e811d089694a263fa37fa2f37a547a2a55a014a963df8ad74361e

C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

MD5 867731066b1d7f1f8502c866d676c08b
SHA1 90861a64c8ce9c7874ad6a653e7e421aeba29946
SHA256 4ae4af97eb46cc57c753234987f2677562703509db0b42571bf89426a85ea09c
SHA512 cf4aa6a4f770595088181df7a9381d92da5282455b095c262c4a832b2b2bd5b63e6847862fe30a721f16ba6bd72173efe3adb0cfb8d8653f8a5f6db465cdd426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adc0c3e0b6cf4325c2ea17aa01bbb5a5
SHA1 046e2c7be65dc94732b3f51baca6d15d78abbc2a
SHA256 d7cd8ab7cffb7c920264389de4c8f89f3e31fff38d095cbc142099f9eb4f2ce8
SHA512 a515a25a1d284bc331f7d31824116768fae05124a303b34c11bd2061abefd4c396d4e21a7de09df1646729c2a6357e72c3717b976898a14aa78b2448e548b17b

C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

MD5 108aed22b54854e0200aaa981963c08a
SHA1 56e2e874ebdac9ab4a67be1f9d571776caea3546
SHA256 5158fed39ad33613bf46f505ae22c4056b0f4d9952c2c1ca0ea74494885900d9
SHA512 08c02da2019907f43c993daa8b8b3d2e0944790e715a2a7d3ddd21e4850d9529729dc522ae661d3fe8cbabd1a5db42fbfdff85528d901c478f373236be294695

memory/2704-280-0x0000000000150000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e10c7d45f691eb1e6c23bd3cb1cc9d20
SHA1 752f076e9f89799735eea83f7fa5fcbd60f3da25
SHA256 48a30a080abfa8f78b8c29b0678e825fb8793e811fad8516c8b3e8ca4a3d9976
SHA512 3cca636218ad9bd918c0674d5f4fffbd7268341121c0b79a610a0f1f56de393c635ce065c227c07d2c2e537619aebc3f0145f7eedb1910a0cd0f21509b94169f

C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

MD5 73e5960f5efc76305cfe7f538b07812b
SHA1 a8a0b4371bf1633e4ee0c3b8973feb01d2df1fa7
SHA256 ff07bace6a1c8e2e336e773e73aa43f0694d0123fd9f68e2fe42ec50fc0e4941
SHA512 430b0a4fe6334709e687f9fea6478033558c057dd909864fb532b7df32db195a98c6ef46d18ff22538399a908f8ae95e344b76d13a02fcd96994fbb4264bc53f

memory/3052-340-0x0000000000D20000-0x0000000000E30000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88a8aaf82d63f99bce3b29d178ca0dc1
SHA1 bee2ffe8e6667b7025c1eb07ffe0e22b531810ef
SHA256 397eff7e1c8607357980ce01310a94f1453c02d91591801cdd1482e3550ccb65
SHA512 28ff7bafe254570caca72439782ea24d4195e1ffa95d0094e3a256f5f2b92fad61fce9b93c0cc7f0dc01903f8a7e169bae23a4095b11ecd1914c6b5fda04bb32

C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

MD5 0fd5b588fe14c851ac1c53f78212972a
SHA1 6bf021fbbd747e323d011c23666bf9186b8437fe
SHA256 58bb71843cc010abf78c70e43b3578fb5529da68f35022064e83608b641d7f84
SHA512 387328af74e4ba3f5b8772c661bc89fedb0c4ecb9be8731d4fba7e30883d60f3728212d69beb1a965d20efc70b7685ed9053ccbbd216a3f92c0728ba415da81d

memory/1688-400-0x0000000000F40000-0x0000000001050000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4398b1535c6430a52a4ff96184245a95
SHA1 29a00392ec259dfa55e6b4ba8db07a84431c0ac7
SHA256 243a6c586193e7327f5b83a3b85f1562a81b07657ddaf5ec76694a91b3f33645
SHA512 5130f9676968fafde601b325b67c5afaba8662998fae18c036d612565559fc629f16e2531fc6c2606acde5eaf2fece865548ea9d4d3bd29b797179d56372ad45

C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

MD5 93983360ad047a14280fc3b1f20387c3
SHA1 012f5e9649ddee97ce0d266180d7c2084896c248
SHA256 98bdbe17473ca47e8ea2114eaf3501fb51d56a2c7aef64828e179f0a34f0cc03
SHA512 c4983297471c3fa665b39fb02d923e39a11ddafb644636a3bc82afb81f755ea51153985e61b9f0f16d90509a90d90e326d210d36e1d03a03881164a33106eec6

memory/2864-460-0x0000000000120000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7944fd491f504885a4d53e677e3d9994
SHA1 6be602c62fe0cc64802f954d4a73d95e70b0c7cf
SHA256 99a06b06223ee1781590874cca2faa47700a611191634fcae7237ab9d87f4759
SHA512 4c047dec4fd264a80becf68a032957c0cde8c145b8c46104d41798b5e94c903fda98c770dbbd2a3dfacd6af75551c1883bfea0cc10f00a14e68bc6c2c05dfb9c

C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

MD5 937cc04a0ac857f309c675cc3f3d5e70
SHA1 99ed770b3078c53cfdce4f1a76f655318b5aa596
SHA256 63666ab216ed392d1004f77e0465eab871cc72cb8fd3d778657a2ff2ebc36340
SHA512 95c77d341fe7da44d9c9f3856614e4ddcf05b62ddf73a29282387b9e2eb1b85bc746388b678f64dc4eedf1c6f7aa9546846a4860c63a12069d0ccdafb30e192e

memory/596-520-0x0000000000130000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 689266665021df8e703622fbab514d1a
SHA1 4d114dd9796bf1c40d7a46882e6bdf884236b5ea
SHA256 bc3c7276d185726194552299ee78feea529829460e11ec1a1ad966de38603c1f
SHA512 88683c0a245cf7785f942cc4d9ce1c9f7ede5c38fdfc65c251a16fd955d3e9357f45300a65c4aaada49a7d1bce084f50e43c0c86d8d67c8aa24a12e4be47ffbe

C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

MD5 38c0a7a17d0a50bf7a85633dea3218e1
SHA1 b49e147fac39bf2f1647756765f4e429c680d5b4
SHA256 4b181487500f55eaf2a795d8e51ff3d66c477cfe522b2d468ffa3f73a791571b
SHA512 e690dea26140e713d4bb947f8e511dcf660e9853137b53636b2a3635c5ba8b5f5daa498ac111362c5dd4a1f0639b083c5a5afd8ca843c74191b8de1c393d0f82

memory/2452-580-0x00000000010C0000-0x00000000011D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9282b6905c727d52bfd73d36437520c
SHA1 26ab3351f0ac3edad5da5a6ae2413f1472dcb39e
SHA256 f065642757fe07192b10aa7b61dcb06b02712bec070afe867fc67ca9620d65ef
SHA512 b0483f5ab2cc86d2182d9049539d0282327eb0c2d94684251a15a059a8b75579289d7904c2bda81394a150bd52dc4f894682b1b7bdf04cbc1039d7862c9a2185

C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

MD5 98676b47956787315fb0bbe7b6d73d6a
SHA1 0e7aaf44f1f121de529ca3005ff9b70760225ffd
SHA256 a5dfaaee91837fb9f8d2950dcac1e2b87c3206791549ddee3bdaeb2f60cd685a
SHA512 fdbaf2f0629897c33229aa005b70d468f33195abbc9e32698ac0e1f7b035ab10ffe68aa731a54012034a177bbd368706f0604313710062ba618fda721152aad8

memory/772-640-0x0000000001120000-0x0000000001230000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3b719a983f8189247637e6c5c4d3d34
SHA1 57660927bfab7416cf01d87b34263e20a727e7f4
SHA256 165721b11c8ba505a6b5736fda56d50d8e75a602bed8f8497a66528e33c1e6ae
SHA512 8e4acc8abf2cc17ca7b253132438b7503653b51b8ffa9e56d0b4f14785378447539130df048cb7920c310cd7232c30ee6ddfed2c8027748d79676cb92f844832

C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

MD5 61030d59ca0992cffcc24aaa5783f6e8
SHA1 8ff1a69fa00e4321c0cdb350cc5b5da5c359eaf9
SHA256 85d236eb209db5350a49d1ec2b208994e0a18571476233d9923195179fd3595d
SHA512 9a47915fe43655a3df4c320adca39a1a7507f6b72cc131260f4eceadf7561478260aacff66a1bf89668394c9ccefa7c2b0e962e82eb968e8357500441374db00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2d530af0d7f3263a819300b572d506a
SHA1 79925fa419c8cd6857056bcc226dc8df9f3d380d
SHA256 0d2103584ae04261723e33511a9713dd960e7ca50b1aba02489e3a42aa3eb6de
SHA512 dff76891c2353fbdd8805c0c3dd6e22dea5d18fa9203711c2b18fd9e4f94f81f9d49dc25832814c5755633f6d5d56bae8704b5b023d1fed87f334aabd673fd94

C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

MD5 2c05b95a0f03ce0cd24fd368f1cdf7af
SHA1 038542d25e6275881da15a8530a8f13c04738263
SHA256 2a0ea5f3c5588bbe501abf63fc9c787c6b7c37a6e4194609d50f5f9a8616272c
SHA512 83ac30c04f00be5955ddc9cd9d6f34241eaec93ccdc448852e849de504d9410f7643e3220e29fb79a7daaa290f5e82de179c189da075a8f29b3c70b050ae9694

memory/2968-759-0x00000000002B0000-0x00000000003C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 19:36

Reported

2024-12-30 19:39

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\taskhostw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\121e5b5079f7c0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Uninstall Information\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\55b276f4edf653 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\de-DE\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\Windows Security\taskhostw.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Security\taskhostw.exe N/A
N/A N/A C:\Program Files\Windows Security\taskhostw.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 3816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 3816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe C:\Windows\SysWOW64\WScript.exe
PID 5104 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4676 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4972 wrote to memory of 956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1748 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1748 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 5028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 5028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1960 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1960 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 4240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 3728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 3728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 3548 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Windows Security\taskhostw.exe
PID 4972 wrote to memory of 3548 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Windows Security\taskhostw.exe
PID 3548 wrote to memory of 5880 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3548 wrote to memory of 5880 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 5880 wrote to memory of 5960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5880 wrote to memory of 5960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5880 wrote to memory of 6140 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 5880 wrote to memory of 6140 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 6140 wrote to memory of 1364 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 6140 wrote to memory of 1364 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1364 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1364 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1364 wrote to memory of 5128 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 1364 wrote to memory of 5128 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 5128 wrote to memory of 5644 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 5128 wrote to memory of 5644 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 5644 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5644 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5644 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 5644 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\taskhostw.exe
PID 1396 wrote to memory of 5436 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 5436 N/A C:\Program Files\Windows Security\taskhostw.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\OneDrive\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OneDrive\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\winlogon.exe'

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\taskhostw.exe

"C:\Program Files\Windows Security\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 220.190.18.2.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4972-12-0x00007FFC0CF63000-0x00007FFC0CF65000-memory.dmp

memory/4972-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp

memory/4972-14-0x0000000002F80000-0x0000000002F92000-memory.dmp

memory/4972-15-0x000000001BB30000-0x000000001BB3C000-memory.dmp

memory/4972-16-0x00000000030F0000-0x00000000030FC000-memory.dmp

memory/4972-17-0x0000000003100000-0x000000000310C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhhzykou.nik.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2148-79-0x000001F17D5A0000-0x000001F17D5C2000-memory.dmp

memory/3548-88-0x000000001BA60000-0x000000001BA72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35967cf5ed9a95ec4fe527dd96567a02
SHA1 6a7439c241a30ec540d5d204e02a4cbb2a464737
SHA256 4394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf
SHA512 419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

MD5 c36e87c71b46fa16dfa315f0b1c7d340
SHA1 8447f69f0a5f20dce71900b68fe8a1b6b90d3b4c
SHA256 e6d6cecc32940817da4d81a580106e3df1f8f5d9099d8db86f75e6cee5003ba5
SHA512 4650d3743bc95003e6c34e6beade6815a33d65397718b5887250513c5217e9ca1d7b8a85a32712c5b1fb18b9d3d8129d837396eaf2675df3e69204527744dcc8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/6140-255-0x00000000009B0000-0x00000000009C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

MD5 3500e1f135b812ea01260a0fddd753b5
SHA1 7281f72b0c93697bbb0844e9dcc64a159ae5c195
SHA256 0ecc3eeb7b005df4d0686a9debd07ec7979071e7ed496cb9ad72a7ec1260e6e5
SHA512 9569d652e6b8ba7d9f8d09ae1acdc096beeb7de854f4a838c2fb1772f8a36b52461c58588aa359ebd8f87cf17647cca2d4af0e40117d98b91e82da375ef58577

memory/5128-262-0x0000000001590000-0x00000000015A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

MD5 1ae01551e7f3fe959e97e4f39aa6d37a
SHA1 fc252a011dff3b9ab6a66e7adbd64bac0276128d
SHA256 96fcce8a1aa279989311e8efa73d49319ad4478fabf877298adff6d7ec518201
SHA512 0c20841e0320251ad22983d04243d0c207426d370347a85cc1033cab0141abeef315a77ed245d79fcef135078e29d3a98b9033494ff0ee129b8bb338890fba99

C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

MD5 ceb1d562cf88dfde9e77b6f9493d07bc
SHA1 a74261badd9708f42e570ad0a5aa5ec23b14ba78
SHA256 e789dc7b7f62176e607115e275fe2be320b8162f13ff200501d96e6c7af43c42
SHA512 0f63ff0892acc15af423e3d574d3f0175eccd4bd8ac3e60a949bf279db3878ba076e06e2fe5a20d1db14c8d4d70b6e776de707eb36bc81bf69eb9677c1108927

C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

MD5 bcf35aa0ead7ba5c99139b39044daffa
SHA1 abcd916fd9d90bf13338970e3d1463102dfaa834
SHA256 131d22be0e934d680e0b03bef82b634ccf467502c5bd3e95a4076c10adc8d07e
SHA512 0f1fd45f7d43e9b489000f6e6fc22a423af0b95634ecee2c5dfe166878858cf0bd2c843a9846cb9423be9f42a5a7b40059eeb53cf4e23e77f12339f776c5d446

C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

MD5 f14c34050d1157ec37ae7cca15612ed8
SHA1 826541b8a21d86c9b00f65af8886d833f996d20f
SHA256 ae728c0758ffd65e86c741e923aca0ea2302196ed5721b6f77bd8ad2a3153a11
SHA512 a3fc621cd2fbb121dbcf7f465b8ceeca21e74781738af2b5df5939c872b326abf4fb0605dcbd139fed680dc177d5d85b42feac5d4104d364982ad7bad2df99a4

memory/2412-293-0x0000000000E40000-0x0000000000E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

MD5 6296f6d231956820575bf87c76179d47
SHA1 0bfff5a24bba37544c1c1918fea515fef41fb96c
SHA256 f85b067da3e9ae64505f74f5552d6714dccacbae5f7feaf45455019f98d70ac6
SHA512 2ae53488914bd7539e801da601ec3a66a491c94f14b33e1b2e8b2b630edb92768743bf7ba827ec8638f91cc488a597375fadf78ed05280f69bfb14d425ed2b6e

memory/4652-300-0x0000000002330000-0x0000000002342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

MD5 abbffe0bf745eec7c5eee77e30c93cc1
SHA1 ce783c9c0d9148fdaaa9429134ac1734e56274d5
SHA256 b1d31e3ef8fab811bd06d7d160b684b4c0ab25e69bddd63b65f6ca80a8f28e57
SHA512 417bbefe171c9cd8453fd4e3f1fe0a7c7b462fe27dca898aa2dc7097e531805d7c513851260d5f8d1f8ff343fbef61397857614d81a32a9268a6fd4f4794d513

C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

MD5 27052cbbf957c64cedc31c22d639b031
SHA1 16dca565c0d856d3f59e7d93b9a08759877cdcff
SHA256 5e8636bd3213752fdf02696e6a304705c61cfbd068a32824cf4f8245d92e8ebd
SHA512 d1280fcef0f9c65c9b3942d406dd73a41572ca782b67f0fb5d3e86e04e0a5dc8c1f43e6336727c7dc9f986a603d5e384c9de73b75f05db0ee60dcac2a60210e5

C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

MD5 9ab063afbfc5f17b288129028e36fec9
SHA1 b1168495750ae6c1f4d83d30c9f49329c0a7e4b9
SHA256 80b4dd583872ad813d7eaa24d500e9bd455c27b796290b29caae079034692f3a
SHA512 f82edf046174521412b48373c7d7415156392ad7a76a16830b04108c57c6575203dbdde44ca4dcb787136cf9214f59dd9efbca659d80c56c12ed7c1b9eba2d60

memory/5016-325-0x0000000001330000-0x0000000001342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

MD5 aa64cbc430f1a5e51a6412e507bf5119
SHA1 d81b0366fac079b1a804c7b912edf0cca5dca86d
SHA256 21ec58eaa439af3387c380f862fe734ad4ac1ed95f7a31fc7e09dce4e537c07d
SHA512 b77fd0b42ac87fd4e2f197929d90bafd5bf3473c5c872209b50dee0d8a97751fa92c510c2450c42fe2c864d2f89393e31d9ed9104c36fef430e997115c93158d