Malware Analysis Report

2025-08-05 09:03

Sample ID 241230-yccp7axrbz
Target JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8
SHA256 ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8

Threat Level: Known bad

The file JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 19:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 19:38

Reported

2024-12-30 19:40

Platform

win7-20240903-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WCN\fr-FR\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\System32\WCN\fr-FR\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\en-US\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\lsm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\en-US\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\lsm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\101b941d020240 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\101b941d020240 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Photo Viewer\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
N/A N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 2516 wrote to memory of 2876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2876 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2876 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2876 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 860 wrote to memory of 1680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 3060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 2104 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\fr-FR\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe

"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/860-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp

memory/860-14-0x0000000000980000-0x0000000000992000-memory.dmp

memory/860-15-0x0000000000990000-0x000000000099C000-memory.dmp

memory/860-16-0x00000000009A0000-0x00000000009AC000-memory.dmp

memory/860-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 87b41dcc0767ad387ddd3492be40d4c9
SHA1 ddba120cea1f52d1435d2d18ee9b867adf62b4f6
SHA256 05299005df00b1f87f5938c5231fe3045034ef476f1e98091abf8f83e1053e4b
SHA512 808f3beea439971853ac3ab0aab04db14e22889cf64f3b4ccfc9f18f775017a0a8aae26a42f56e539590ce5832674ae22967260ba00ad8784c8c79ba6bff11e7

memory/2152-81-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

memory/1320-99-0x00000000020C0000-0x00000000020C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat

MD5 11c4e07a5a64d17f181dff9476d2dc96
SHA1 9ff997e24c622601f7ea36a146f3eb5a8212895c
SHA256 03313685cb2065d77852dadb6c6b8250faf9d6ce32735d90660d448d4ffbb5b2
SHA512 44fc1c800832cabdd57d1694b18835de1418ec9bdbbc49765800e94af01cd466f30cebccc7e6e66e29644d9a186a26fad1bbea432056f46bf3c817a785b2be0e

memory/2928-147-0x0000000001220000-0x0000000001330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab41D3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar41E5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

MD5 e243a90c72f4a3373441d214b1c5fbe1
SHA1 2fdf55a1effc09ad2600b07c50391b638162bf08
SHA256 6605ad6935c3e3cc5900b7e56a14da4bebdb352d93648ed290ebd6ec3285d9df
SHA512 c4186a0b2663290e0d1d44cd8cad5c98740c7cd83aac75ac012980cc9d1d256ec0c9ce0dbf795da5c90d3303e59fab383df426db9ae740668850efbc53a75824

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 456b8ef188133520ae0848f9bb63d3c8
SHA1 236de0364d6e99e6f2c579754b9cc959f200928c
SHA256 4d6ecf640f6690e530ca28c937b9807a23e67b86b1d765b8de9a44112630eccf
SHA512 b2a97d567362ecc0b39a019750dab67e1bc53332de1866f9f73ece617c39af49f14735f709318c03e07321c482401518d644e922f74028a62a767e560771e3b9

C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

MD5 31625a0e5bb16e5f06e58f03c9c385c2
SHA1 8768cfb863f0f800db69f394e666b4b93e8633b2
SHA256 65051db0c8e095ba16bbd2ad6ca08401ee36a5d1ea87f438ca6da9dc9cec8eca
SHA512 c49dc4a4fedf19de787242beec9a11ffd89843840faa43617f8206b03c336650b4ec3425729045bc9b502ab09743d15ad4526337b05c68fe2454a27c4154f344

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16e6730f65ed8936039a65e6b42d1cdf
SHA1 4b2c4e7edafb8c62d6b1d696f45644d86ae7a48f
SHA256 7a75bde31eb0293e598817235210f1c1997161004839115ae8c2a48e99d6756f
SHA512 61153255c9b2435ecb355599a90e1b8959087eb60c3dff694b279c4121315d8a5a675888d0235cbac3feabfa7128ae8f300a299fdc2d18a5b7156b6ac76c9dc7

C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

MD5 c641a2686fecd0d81a6b43fca3653825
SHA1 cc1f4c7b3aa0efa1f7a51d917fddd371b3aa5c38
SHA256 653dec7999ab0e83a1bb07d5bfe00085ee8d8f1b8ec0ce8db7182615a54106e1
SHA512 5902e00e3e22a8b158465160eaee57b318ddfccb27ed652b78cb9cbc74a7796ee708c7a28eccec96564f7751c37ed11472b3672c676948e4fba648a65203eae6

memory/2144-324-0x0000000001320000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb264d8bf97b2a415c3bda1145138b6b
SHA1 9557583208b2f6711f8e1fd074efae29763baeee
SHA256 31c4f9e327d964548c13580cb2bd7333ff559fb8e66616e750e8c6c7172541ad
SHA512 ff68b0036015af8bbce8dca8a54fed84162c2c3e48929aa52adaa5e0d441bb9b644c8a3d806d3c9c0581bfc704a8a50457f7ebc20e4a2e31bc2f82f3650f5544

C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

MD5 682c3154232774ebabfc6d48035ae321
SHA1 fd7b1f362822b17a30b92b176967f4989a5b4c23
SHA256 4c972acfce6c271e68ae8ed67d6cc09f87e63f102ab6b3c0047aad2083273c00
SHA512 0703cf9c5ef2dcf512ff0751b00c6fa1b98c99dfa387478387b8544c3e3c520dfc6bf9195e7024740d35c5a866fa478f65b6c0e7abd265c01e31802b6a6dba57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0807d34a9eab702c04b8abd8f8063750
SHA1 c7ca1ae6604a4ffda07d966dbb9d3fecfc4b06a7
SHA256 98530b23e701e1983853c1cd5c0d81748808c5164ad90abe346e8f19180a3fa9
SHA512 aaaf77a693c109fe366453ab29eec255148759ea8eda85c5d4745e0acdefd61857789c1bee2270fb79062f2f271c757fa6ef42dc00857c96eac3e007ed3cdfc6

C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

MD5 7dc01dae3501e2f80aa973219777c893
SHA1 e6c419ba8b92bc942fcf153c50e4e97764585b78
SHA256 dae77823b8211b61a1b369bfd00eaaf092a0a0cc60fce7432c45a635c3727c52
SHA512 aa5d5eb98aa2cf4529bd8cdef69a61586a4640802c5068fa91c2f720e745cb16a82231a6f387c1b28ade25832ba0d14b917d402aad1fb47036b8c4307a2f5344

memory/1532-443-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 959010cd9a3e4e89316cf8e40beaea85
SHA1 f080deb643e62243ac02ece09639acb60b5875a2
SHA256 8645870aaeac5fb43e41033572bbbb6ef0e866a4c64cb6337256e8c6a573e8e1
SHA512 4b5e8118c72d4cf6c46c6b03c52c8d102bf9084a3748199665ce31cbe3f20088af34e2a2cc10982fb690091d29b4a16a4c89aa4f9ec240b4cd1c0314e94a794e

C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

MD5 97f7e4965159349e690ba9846730dc5e
SHA1 4bac3ae9fe00409dbf7de35348c9adfe6a0a520b
SHA256 aa6f5f1ffc6b7d80183937c244d83d46d29c2a4b4e61896c6dc4f9e3692522f1
SHA512 95059a8e36be8d2c6dc0e5a8962a89029ac2db6e78958e7fc850e081d3182e79d6f1e07536ddc6de99aa43a3fc6702de47c96f7a37a05e4575121e6499cf983d

memory/2304-503-0x00000000001D0000-0x00000000002E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ccf05fc4fca8a5494f77a78bbba08e7
SHA1 dc9441bdd0bc1f4360d23c6ac4fba574e32f3569
SHA256 53ea12ef6e846bd0c5100d063c566ff71730c0afaa40ca2194762e1b427ed9cc
SHA512 385dc2ae7ef414390e47ac02ad4fce3827387b215f4a09ee7d9a7f8d180003b9f36290b6e89f3ce452ce1a083a3c7437481679ead88f64b18ee3ad41af3daf6e

C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

MD5 f82ba89edc6ad2d56640e576f2fa4694
SHA1 9deac0efb2db60fd80adc8d0ef6bb3f368384489
SHA256 d0ec0cfa1ed30f85559545f3c6e83cd4403a87472d2f0f81939d816cd88d5d25
SHA512 b6e3bab711c3b8422e05c729afd4ff0f5f4798f98b320ee9ddccce335b1ac39f1f0562c1cf8ed93a465e21bd52cd7e5b6372c1976bb127e2e8091ffb1bff9ef5

memory/1264-563-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ccc6ad1e01fafa58ebf017d666444bb
SHA1 4a68bdb06b4906ea322d0070ee67fcf4472318fc
SHA256 52d4a162f038ec16e9d2c59426d6e1d072f4f6efe11da4fe8e58d9528968b915
SHA512 57c44d699bb53d00c7a0c286925ba6f28176ce73297db141eb9654173c3dd08b27528026d5e63c4e6910df62f9052c83ff8b0bc9879ed949d820c514f9b5b69c

C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

MD5 0b4688e256931570dd6d14f4815d7b2d
SHA1 f59f36919882f85a1ddaa61bafc9e585bf9af58b
SHA256 8a4b11e78e175330f6412cbd72e76b92f732da360687cb483f3871ad449d2a66
SHA512 b7516f0587ca1527f6fb6ca3f7dda7a24e57c04f592604477d9d0042f1cd2a103cd1632069b074ae7847ab140f4f9f1ca9597cdaf76cae462a04f536b3b85947

memory/1644-623-0x0000000000240000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ac099f14a4f104859a918bdf304173
SHA1 ad547c527338f3779de690ee32366cf256467b94
SHA256 ec01912941c4da47868a0d5e4e79eeb1034500b627163a057446930182bbe6a0
SHA512 bedccdef01fe5771863e0bf9fbef3c2e2ffe2a787b92fd6865e93a887e79d394e76924eb8a27b7c6058bf3ecab98f037a3cdacbbc0cf26dccf4f11bee2e7f4a7

C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

MD5 ec125ef596af446fbd5883ccb82c3ae0
SHA1 7384be108caab0888657141fd0c15af7d68023b8
SHA256 9a39f2779a97bfa8ffe25245e156497fc9b838333f46504d1b69828e17e053c4
SHA512 f894a117a5897fc39f2e2c7028500fdd3002eaa659bfaaf7f863adcca1f4abb6080eee3ff09fa7f383f2e34fa6cb0113a4bbc577d0db479099345c25b6453d4e

memory/2616-683-0x0000000000B10000-0x0000000000C20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 19:38

Reported

2024-12-30 19:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Default\Downloads\Registry.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Default\Downloads\Registry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Downloads\Registry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1868 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1868 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe C:\Windows\SysWOW64\WScript.exe
PID 1184 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 4388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4388 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4556 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4436 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4436 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4556 wrote to memory of 4620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4620 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4620 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4620 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 4620 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 2356 wrote to memory of 2836 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 2836 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 2836 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2836 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2836 wrote to memory of 2216 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 2836 wrote to memory of 2216 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 2216 wrote to memory of 3028 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 2216 wrote to memory of 3028 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 3028 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 3904 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 3028 wrote to memory of 3904 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 1084 wrote to memory of 3076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1084 wrote to memory of 3076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1084 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 1084 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 1672 wrote to memory of 2472 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 1672 wrote to memory of 2472 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 2472 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2472 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2472 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 2472 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 876 wrote to memory of 3040 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 3040 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 3040 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 3040 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 4628 wrote to memory of 4268 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 4268 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 4268 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4268 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4268 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 4268 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 1804 wrote to memory of 1764 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 1804 wrote to memory of 1764 N/A C:\Users\Default\Downloads\Registry.exe C:\Windows\System32\cmd.exe
PID 1764 wrote to memory of 4888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1764 wrote to memory of 4888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1764 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe
PID 1764 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Downloads\Registry.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\SearchApp.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Downloads\Registry.exe

"C:\Users\Default\Downloads\Registry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 220.190.18.2.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4556-12-0x00007FFA23AF3000-0x00007FFA23AF5000-memory.dmp

memory/4556-13-0x0000000000760000-0x0000000000870000-memory.dmp

memory/4556-14-0x0000000001040000-0x0000000001052000-memory.dmp

memory/4556-15-0x0000000002950000-0x000000000295C000-memory.dmp

memory/4556-16-0x0000000002960000-0x000000000296C000-memory.dmp

memory/4556-17-0x0000000002970000-0x000000000297C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwl4sec3.bgy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1348-42-0x000002116B730000-0x000002116B752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat

MD5 c481a6a5a825a8a7faddedc4a4725b05
SHA1 aa4f049b4b6119a3af7eefbf79a7cbe99bfa723d
SHA256 7359d9e71e4deac7ba825aa9488d182dc6568ba574ac10e3992dd112d1c5fc48
SHA512 d7b393746ba2f37bef374c6096aec899282f28567198fb01b93173cd205e8e27b79e3ec2f7c4f076c64a9af3f952f8426b1fc852d35cdf0332c45d30778ebe44

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2356-79-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

MD5 94155e5abbbbd3204aa6788bcea4ebf2
SHA1 af648b937f5ff1c4c1acf7908d8f5451ca39e3d5
SHA256 5af2eeb05e4813d6051c58698fe58bad3b3570fbb579d2c31c1cf66c88dc0385
SHA512 f2ecd9c3e3b08c00ccda8474f7d79c4770c2173ea3187cd8191bad4895169a2535d9a317aacec821e03873306362b0e883030bc7e1e760b872042c4a544519a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

MD5 5a04d7fbf2c80014581e18e0c7223cee
SHA1 7f094783cbd247b671a82c036d507c259dc64576
SHA256 fb28fa8433e1de6a3061eb067e2cb3b528641f6662ecd949d35cf2fb3b1b0a2a
SHA512 1821cd6dbc11bf44f22ac3fb1685a9a27a4cdaebce0ba2d85e61fd77dc04b7efedd871dc8d3671e3e41ce072896d0a2e5981f3a2a2f927644a57fa792c34d3ae

C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

MD5 c78b31368beeb09a5c99e2de30f5892d
SHA1 1df88c7fad68faa67e9c93920e4437fd3d8e14c1
SHA256 41f23b7ab3be3320db7a85b83449d1ef7e8edf45634c847d9e9b2fd136f18642
SHA512 848c59b23bf65bd662f738890dd089ee6db0b0d18472af5ce98247132805de0cc03578d4eebf51df3984b032ccbbfc21e35c9d6ba47e0071fcee1ff6788e5e36

C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

MD5 bb5781bf8ebfc46e0d0d00599324d86d
SHA1 3f6dbf84d87099d02196250caa5c2b844827973b
SHA256 888dc3df4c945a0be30e1428c8b9a8460a3778c85898275d6de7b540aad33c67
SHA512 65adadfd5282761ade6e65b9cb1aa50659a25e16e4ca30cc8a373f61d45bac1d448893c9c52722ade52ac58725d70a45206b4cb7f7adcf45e3f61c5d18994e70

memory/876-106-0x00000000010B0000-0x00000000010C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat

MD5 1b781902246e6f66ebd40d1dbaf79808
SHA1 cb41777bb526ab172acadfe7e7a8cc84c540afcc
SHA256 03234cfed4c497e3c373f9e96ff322e40d8195d237a771c75b07f11d33e3b304
SHA512 b68d942c9f9a144a29ff8ef1c971fa515635b3b2db7413e1376696537b8fc5b475f20c53de71576517703d95e8806037a257c07f21666c8ce0643353b454638a

memory/3028-125-0x00000000012A0000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

MD5 b06fb4f98f36ee3dd7c256480ca77acb
SHA1 473263343752c6f160de850589402b17b77a0e51
SHA256 3012def1d9450e6675dbe93c24f44fd462de74c10a536d7a96a9f7085ac48d6c
SHA512 917743de1239a419e5fb66b70a820cde56c19b6cf1cf4cc09c31f4125999246a707aaa6f3854fae32f5bb5e59a1a5eac9c18142b7893f509cae9f4789abc154d

C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

MD5 c06907db4471e716e6123fe5338ab444
SHA1 e5f7db57d7df936a91429d3e670931e8e0cfaae1
SHA256 d7ab6239d27270c1345f0fda04de110739681a8a1bae74ca77dd257129605487
SHA512 45fe330f788335aca1db3a4d0b71b72658a20c7f33f21cda9e35bd7c92e3264979770c5f90d5673ddcfe9556c3e84d5bf96d7c07417b54f1e9f8b45ebe733236

C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

MD5 f52993bb53596dbc2775bd821c97ac13
SHA1 4f78f970265818ebe1ba96878847eb8d286a58c3
SHA256 02fe1d70d03a5383deac7465ad086e502a8697046c7337ad84dc5511f008594d
SHA512 128c2b293f739e2fd4ceb7750729b7ebb40f94968a4d6014dac9453638150c61d70223b3b80c7ecfdfc293c286e5ba0aa7592b92b181a0bf1900b86b4c5ee705

memory/2732-144-0x0000000002140000-0x0000000002152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

MD5 35b8cdc94e95557ab212107ac146fcd9
SHA1 ef34c560cc310f06104d30a8147c75b946750cea
SHA256 2c5a22254b4b87cfdae2165584210eec593cc8986cab2d442786030553fbd897
SHA512 c5918bb1bbeca5824f3a3ed5cd727bf6b755bdfed6db7cb9290d9820057f95daf051faae370f64736a86155f49fd023aaef25943c4e1a990c161ea8592d23b0d

memory/2672-151-0x0000000002970000-0x0000000002982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

MD5 b5499a0ff31fe65796772c4e67b9969a
SHA1 6f554457d8b4d1e7ab80da5c481163cc9d08f91d
SHA256 2f48f51f150baa9d2bb15fb7b6851796f761bddf1ecd86e2131215ac4554014b
SHA512 a007a90202eadc74a5f412fe548ba049d662b2affbdf403e75d287d96b7130abb15764cfd66439f24d3d5fb85bc7256aa2dc12a2f7d7e41d338879d81768a461

C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

MD5 41f42d636bb85e5928b1ad62fcd064f1
SHA1 0567156817659b495950627611bc6e1044825897
SHA256 1a01a2c0131ab86b7c48bd6514d6ce2cb5019c37c0f995effd449ffc821c1c28
SHA512 6dfa22a76889105e3a0f9abaf1278ded10d6a048d1581d93d62b3a257a3397db492089b965cc4fad1f7878ee7e7f98560d2be2b45f8d1577ccb8ab7d2c71a606

memory/1192-164-0x0000000002C30000-0x0000000002C42000-memory.dmp