Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:18
Behavioral task
behavioral1
Sample
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
-
Size
1.3MB
-
MD5
bda66baae95d4dc4410098f8767b46a2
-
SHA1
54004cb81ec61e5c4b563ec0ce67b4d22672b319
-
SHA256
48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f
-
SHA512
5ebca40bb05d12c0f7ae6d991a84878acf8272fef98015993fad4469e81b6cf6043f8846f6d62bdf00fe9c455a84e3c85a24b8cad65572bef916b44a73bb2ef9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4940 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 4940 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x0007000000023c98-10.dat dcrat behavioral2/memory/1912-13-0x0000000000490000-0x00000000005A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1040 powershell.exe 1800 powershell.exe 1672 powershell.exe 4344 powershell.exe 2352 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 13 IoCs
pid Process 1912 DllCommonsvc.exe 4804 dllhost.exe 2600 dllhost.exe 1784 dllhost.exe 4392 dllhost.exe 1476 dllhost.exe 3228 dllhost.exe 1672 dllhost.exe 1968 dllhost.exe 2476 dllhost.exe 2936 dllhost.exe 3752 dllhost.exe 3848 dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 40 raw.githubusercontent.com 46 raw.githubusercontent.com 56 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 34 raw.githubusercontent.com 41 raw.githubusercontent.com 42 raw.githubusercontent.com 50 raw.githubusercontent.com 61 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Common Files\DESIGNER\spoolsv.exe DllCommonsvc.exe File opened for modification C:\Program Files\Common Files\DESIGNER\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Common Files\DESIGNER\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2984 schtasks.exe 2900 schtasks.exe 1920 schtasks.exe 1280 schtasks.exe 3048 schtasks.exe 4912 schtasks.exe 3940 schtasks.exe 4172 schtasks.exe 3228 schtasks.exe 1768 schtasks.exe 3364 schtasks.exe 3420 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1912 DllCommonsvc.exe 1912 DllCommonsvc.exe 1912 DllCommonsvc.exe 1040 powershell.exe 4344 powershell.exe 1672 powershell.exe 2352 powershell.exe 1800 powershell.exe 1800 powershell.exe 1040 powershell.exe 1672 powershell.exe 2352 powershell.exe 4344 powershell.exe 4804 dllhost.exe 2600 dllhost.exe 1784 dllhost.exe 4392 dllhost.exe 1476 dllhost.exe 3228 dllhost.exe 1672 dllhost.exe 1968 dllhost.exe 2476 dllhost.exe 2936 dllhost.exe 3752 dllhost.exe 3848 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1912 DllCommonsvc.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 4344 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 4804 dllhost.exe Token: SeDebugPrivilege 2600 dllhost.exe Token: SeDebugPrivilege 1784 dllhost.exe Token: SeDebugPrivilege 4392 dllhost.exe Token: SeDebugPrivilege 1476 dllhost.exe Token: SeDebugPrivilege 3228 dllhost.exe Token: SeDebugPrivilege 1672 dllhost.exe Token: SeDebugPrivilege 1968 dllhost.exe Token: SeDebugPrivilege 2476 dllhost.exe Token: SeDebugPrivilege 2936 dllhost.exe Token: SeDebugPrivilege 3752 dllhost.exe Token: SeDebugPrivilege 3848 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 3304 1956 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 85 PID 1956 wrote to memory of 3304 1956 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 85 PID 1956 wrote to memory of 3304 1956 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 85 PID 3304 wrote to memory of 4928 3304 WScript.exe 87 PID 3304 wrote to memory of 4928 3304 WScript.exe 87 PID 3304 wrote to memory of 4928 3304 WScript.exe 87 PID 4928 wrote to memory of 1912 4928 cmd.exe 89 PID 4928 wrote to memory of 1912 4928 cmd.exe 89 PID 1912 wrote to memory of 2352 1912 DllCommonsvc.exe 104 PID 1912 wrote to memory of 2352 1912 DllCommonsvc.exe 104 PID 1912 wrote to memory of 1040 1912 DllCommonsvc.exe 105 PID 1912 wrote to memory of 1040 1912 DllCommonsvc.exe 105 PID 1912 wrote to memory of 4344 1912 DllCommonsvc.exe 106 PID 1912 wrote to memory of 4344 1912 DllCommonsvc.exe 106 PID 1912 wrote to memory of 1672 1912 DllCommonsvc.exe 107 PID 1912 wrote to memory of 1672 1912 DllCommonsvc.exe 107 PID 1912 wrote to memory of 1800 1912 DllCommonsvc.exe 108 PID 1912 wrote to memory of 1800 1912 DllCommonsvc.exe 108 PID 1912 wrote to memory of 244 1912 DllCommonsvc.exe 114 PID 1912 wrote to memory of 244 1912 DllCommonsvc.exe 114 PID 244 wrote to memory of 3780 244 cmd.exe 116 PID 244 wrote to memory of 3780 244 cmd.exe 116 PID 244 wrote to memory of 4804 244 cmd.exe 118 PID 244 wrote to memory of 4804 244 cmd.exe 118 PID 4804 wrote to memory of 3288 4804 dllhost.exe 127 PID 4804 wrote to memory of 3288 4804 dllhost.exe 127 PID 3288 wrote to memory of 4952 3288 cmd.exe 129 PID 3288 wrote to memory of 4952 3288 cmd.exe 129 PID 3288 wrote to memory of 2600 3288 cmd.exe 135 PID 3288 wrote to memory of 2600 3288 cmd.exe 135 PID 2600 wrote to memory of 4848 2600 dllhost.exe 139 PID 2600 wrote to memory of 4848 2600 dllhost.exe 139 PID 4848 wrote to memory of 1172 4848 cmd.exe 141 PID 4848 wrote to memory of 1172 4848 cmd.exe 141 PID 4848 wrote to memory of 1784 4848 cmd.exe 144 PID 4848 wrote to memory of 1784 4848 cmd.exe 144 PID 1784 wrote to memory of 2692 1784 dllhost.exe 146 PID 1784 wrote to memory of 2692 1784 dllhost.exe 146 PID 2692 wrote to memory of 4568 2692 cmd.exe 148 PID 2692 wrote to memory of 4568 2692 cmd.exe 148 PID 2692 wrote to memory of 4392 2692 cmd.exe 150 PID 2692 wrote to memory of 4392 2692 cmd.exe 150 PID 4392 wrote to memory of 1176 4392 dllhost.exe 152 PID 4392 wrote to memory of 1176 4392 dllhost.exe 152 PID 1176 wrote to memory of 4916 1176 cmd.exe 154 PID 1176 wrote to memory of 4916 1176 cmd.exe 154 PID 1176 wrote to memory of 1476 1176 cmd.exe 156 PID 1176 wrote to memory of 1476 1176 cmd.exe 156 PID 1476 wrote to memory of 1692 1476 dllhost.exe 158 PID 1476 wrote to memory of 1692 1476 dllhost.exe 158 PID 1692 wrote to memory of 1788 1692 cmd.exe 160 PID 1692 wrote to memory of 1788 1692 cmd.exe 160 PID 1692 wrote to memory of 3228 1692 cmd.exe 163 PID 1692 wrote to memory of 3228 1692 cmd.exe 163 PID 3228 wrote to memory of 2800 3228 dllhost.exe 165 PID 3228 wrote to memory of 2800 3228 dllhost.exe 165 PID 2800 wrote to memory of 4344 2800 cmd.exe 167 PID 2800 wrote to memory of 4344 2800 cmd.exe 167 PID 2800 wrote to memory of 1672 2800 cmd.exe 169 PID 2800 wrote to memory of 1672 2800 cmd.exe 169 PID 1672 wrote to memory of 3972 1672 dllhost.exe 171 PID 1672 wrote to memory of 3972 1672 dllhost.exe 171 PID 3972 wrote to memory of 1740 3972 cmd.exe 173 PID 3972 wrote to memory of 1740 3972 cmd.exe 173 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3d5a4VryJl.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3780
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4952
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1172
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4568
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4916
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1788
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4344
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1740
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"21⤵PID:968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2692
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"23⤵PID:4696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4076
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"25⤵PID:4236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2116
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"27⤵PID:760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4956
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
198B
MD50ed0b5e9971a8ace5d846ea3117f992a
SHA1fa0c1e70c13126301474b6cb942266e610b6f4bf
SHA2560e29b7341d9677b8322b3ec8272f906bf8ae12aa6b7c586fefce48eea15b1629
SHA512ccece1adf1aea08b45ed4ce2754b3a41074120eaa33411241d4d9e401d783bd3b1756669d2ea5d0da97bde3b54bfbc9a7d4ac2450f9db22647159856647b1d99
-
Filesize
198B
MD5f6aea1abbbd9f952af4aa63c3347c34f
SHA17315b31126abdd6ba0a3c3fb242ff93243f46e75
SHA2562302cb134d6a97021189b332a8b067990619020da2b59f908acc56b38cf78226
SHA5129bbeb2ee7d6f664ed929afd089be9660eb681731577f84e83e4f0de7907d477432ff53bded5dfec6f632c259b22aa30d33dfd72f381cfe3bc59487a225d40087
-
Filesize
198B
MD57ce7214f23b4bba50d9e4512dea0172a
SHA13e94c75a516d21672edb0df4db0badcacb34389f
SHA25630d1cca2c92627e0c4560f3020041f90a86e914755af58c2336def273b7912f0
SHA51279a73ff16a28798c3de5e0141b3e922afc1f7619f99bb046482d23bfc4f560f42a36abb03448fd2e3af62727824a2341f6a664189fbc40e24dae12182c5e28f1
-
Filesize
198B
MD58a564cd6d45dc942a855ac17f5ffb2ee
SHA19d802aee3585767da70c2d0d32844236f3d7c176
SHA256a70cf05660ed92db2910a91cea7a08c792936730588a04ccab6c37bf3f7be1e0
SHA51228cb51d7780c99075f326341814732e6e4dc74ad92ba3ab5737a76e34e569f8831942b0f34a4c31deb3f88a9386dea86c23f38615583c1f2a53543d96b9bcea3
-
Filesize
198B
MD526e39afd0589ac6d3fde602c055c7cfd
SHA1bc16d1a4f4d1c5a67c9962c4247a48ec6268cedf
SHA25693470d301528f25e41b5a9479d02565451dfaf9a08b2f4c1b097bdf0a9d3748a
SHA51283675b17697e02d062baced90cb21ae06bf29ae967c0309bb3c44a1cfc599411d351600073763654acae4dbd1406b9b1f03b1d088e5844d2f5b93a94f2a8eedc
-
Filesize
198B
MD5324fdf7eb589b2d4d2871a9a4c75c7ee
SHA1a5702635834e068b6e27ab639861289fa3a9304f
SHA256fa851ddadd9d9fb49063f94418e5351986cee9c7916e31a27124989934c75247
SHA512b27dad39f0f3a7d82265c70a643d4d9d015812aba3fca0e66363bc6d2c6c0d3649371bf1b32b11bf09466a0465305b804b832e964f120a19d275b70564007bf5
-
Filesize
198B
MD58a28cfacc1a2feae39fd2725f424a5e7
SHA1b87ae16c0dcf5fda1a3fdda62fcc6f73735f8e0c
SHA2565f045f7c2cae49f1b4eb45c78ec3737a94f2683c86a7ac88d15c760269956c2b
SHA512a93f42f0d16f35a9aebd49b5e7e81bc57a8d2a1315be6d273ae963247d3b5e1a7bf7594e9844f795712c503684acb6869db2583cb86712ce3c1d4848c648e789
-
Filesize
198B
MD5c18579ec33781b6a64eb1da82a15b38f
SHA19fbe636ac4dc4fbfde3e10779ff0785481f655f0
SHA2560b46648c64de710de412032da4cc00ecb54da5b88f7fe3ead225c7d807199fb1
SHA5120ab8974f907df01108fad34fd1e7100a2ab254d64638ee08100d8b92cf96e8266e9243185468df5398d33bdab56fae597b8a8f5d28ccb977f75279fe1cf21d93
-
Filesize
198B
MD5f3e6d46f041e4d492133d34fc6fce220
SHA1cd144e25d554f42f12b7d7e6aef6e1990c3439f2
SHA2567c31c22f52005525169f8a13e5680dbcc0f655279d7aaeee24f074a3cff48bac
SHA512461791b060b7e9d84cc97804366f28f471e2023a22ee54270d4ea5fd13f048c5f34d5d7dc2862f25b649969e97ba8c23f6ba479a0c19b03fbb39e6798d83edb8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
198B
MD5d42e4a9d166ece921a9382386ac7a63c
SHA11761f5f4a4607f04bdebf118edcdb58b3555cd9f
SHA256ccf1f9846432f6f9c94f8c1c79f82fde74a91038b78ce3c930f4dae66d3c70c7
SHA512582059a5b3ef7fde228157802067402f9b1daeec33c97be20e75ffcc3efa7fbea32ef6477d9fdaf5796d74b65551b56e90d5ac78316caeb1ec33ca2f3516aaf7
-
Filesize
198B
MD5eb6ecc1213a6a4445a88573f9238dd49
SHA128ee0f6ae453c1e05d0f7cecce6f8a85b7042f17
SHA256a519b41d6bee727d64a2e15a33eb79735279fcc05d9db4388b1f8b6aa21474bf
SHA512f9feaccfe64d6a4cf377d79c4727b0404306af07354b4242a22c0864bb3547535af26a407d4dcde2008cbe4047256f06f77002be736a9ba9b5eda23f43e6e0f5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478