Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:53
Behavioral task
behavioral1
Sample
JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe
-
Size
1.3MB
-
MD5
76f57cdae6224f6d655996f2953535b5
-
SHA1
30feb1edd193e937514586430b792b508eac1a0c
-
SHA256
796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012
-
SHA512
fe5eb19e3b84a78a8a198e075d4858f986302d9e1b13ca32285ec3b5b751ce6201e4e22ae2d657c435020ac261fbc69424099f7f0d7aba83ffbb88df0eb687fd
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1108 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1108 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x0008000000023bfa-10.dat dcrat behavioral2/memory/4476-13-0x0000000000800000-0x0000000000910000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5000 powershell.exe 1680 powershell.exe 2596 powershell.exe 4500 powershell.exe 3248 powershell.exe 3116 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe -
Executes dropped EXE 14 IoCs
pid Process 4476 DllCommonsvc.exe 2876 wininit.exe 4420 wininit.exe 2832 wininit.exe 3548 wininit.exe 2296 wininit.exe 2812 wininit.exe 1148 wininit.exe 5108 wininit.exe 640 wininit.exe 392 wininit.exe 2148 wininit.exe 2276 wininit.exe 2144 wininit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 54 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com 24 raw.githubusercontent.com 40 raw.githubusercontent.com 45 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 17 raw.githubusercontent.com 37 raw.githubusercontent.com 39 raw.githubusercontent.com 44 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\de-DE\wininit.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\56085415360792 DllCommonsvc.exe File created C:\Program Files\VideoLAN\dllhost.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\en-US\dwm.exe DllCommonsvc.exe File created C:\Windows\en-US\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 416 schtasks.exe 4540 schtasks.exe 4856 schtasks.exe 732 schtasks.exe 1568 schtasks.exe 1928 schtasks.exe 2324 schtasks.exe 2396 schtasks.exe 1860 schtasks.exe 3592 schtasks.exe 3552 schtasks.exe 2444 schtasks.exe 4564 schtasks.exe 1920 schtasks.exe 2636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4476 DllCommonsvc.exe 4500 powershell.exe 1680 powershell.exe 5000 powershell.exe 2596 powershell.exe 3248 powershell.exe 3116 powershell.exe 2876 wininit.exe 1680 powershell.exe 4500 powershell.exe 3248 powershell.exe 5000 powershell.exe 2596 powershell.exe 3116 powershell.exe 4420 wininit.exe 2832 wininit.exe 3548 wininit.exe 2296 wininit.exe 2812 wininit.exe 1148 wininit.exe 5108 wininit.exe 640 wininit.exe 392 wininit.exe 2148 wininit.exe 2276 wininit.exe 2144 wininit.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 4476 DllCommonsvc.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 3248 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2876 wininit.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 4420 wininit.exe Token: SeDebugPrivilege 2832 wininit.exe Token: SeDebugPrivilege 3548 wininit.exe Token: SeDebugPrivilege 2296 wininit.exe Token: SeDebugPrivilege 2812 wininit.exe Token: SeDebugPrivilege 1148 wininit.exe Token: SeDebugPrivilege 5108 wininit.exe Token: SeDebugPrivilege 640 wininit.exe Token: SeDebugPrivilege 392 wininit.exe Token: SeDebugPrivilege 2148 wininit.exe Token: SeDebugPrivilege 2276 wininit.exe Token: SeDebugPrivilege 2144 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1684 3080 JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe 82 PID 3080 wrote to memory of 1684 3080 JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe 82 PID 3080 wrote to memory of 1684 3080 JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe 82 PID 1684 wrote to memory of 548 1684 WScript.exe 83 PID 1684 wrote to memory of 548 1684 WScript.exe 83 PID 1684 wrote to memory of 548 1684 WScript.exe 83 PID 548 wrote to memory of 4476 548 cmd.exe 85 PID 548 wrote to memory of 4476 548 cmd.exe 85 PID 4476 wrote to memory of 3116 4476 DllCommonsvc.exe 102 PID 4476 wrote to memory of 3116 4476 DllCommonsvc.exe 102 PID 4476 wrote to memory of 3248 4476 DllCommonsvc.exe 103 PID 4476 wrote to memory of 3248 4476 DllCommonsvc.exe 103 PID 4476 wrote to memory of 4500 4476 DllCommonsvc.exe 104 PID 4476 wrote to memory of 4500 4476 DllCommonsvc.exe 104 PID 4476 wrote to memory of 2596 4476 DllCommonsvc.exe 105 PID 4476 wrote to memory of 2596 4476 DllCommonsvc.exe 105 PID 4476 wrote to memory of 1680 4476 DllCommonsvc.exe 106 PID 4476 wrote to memory of 1680 4476 DllCommonsvc.exe 106 PID 4476 wrote to memory of 5000 4476 DllCommonsvc.exe 107 PID 4476 wrote to memory of 5000 4476 DllCommonsvc.exe 107 PID 4476 wrote to memory of 2876 4476 DllCommonsvc.exe 114 PID 4476 wrote to memory of 2876 4476 DllCommonsvc.exe 114 PID 2876 wrote to memory of 1820 2876 wininit.exe 118 PID 2876 wrote to memory of 1820 2876 wininit.exe 118 PID 1820 wrote to memory of 1560 1820 cmd.exe 120 PID 1820 wrote to memory of 1560 1820 cmd.exe 120 PID 1820 wrote to memory of 4420 1820 cmd.exe 122 PID 1820 wrote to memory of 4420 1820 cmd.exe 122 PID 4420 wrote to memory of 216 4420 wininit.exe 125 PID 4420 wrote to memory of 216 4420 wininit.exe 125 PID 216 wrote to memory of 1964 216 cmd.exe 127 PID 216 wrote to memory of 1964 216 cmd.exe 127 PID 216 wrote to memory of 2832 216 cmd.exe 128 PID 216 wrote to memory of 2832 216 cmd.exe 128 PID 2832 wrote to memory of 4864 2832 wininit.exe 131 PID 2832 wrote to memory of 4864 2832 wininit.exe 131 PID 4864 wrote to memory of 1988 4864 cmd.exe 133 PID 4864 wrote to memory of 1988 4864 cmd.exe 133 PID 4864 wrote to memory of 3548 4864 cmd.exe 134 PID 4864 wrote to memory of 3548 4864 cmd.exe 134 PID 3548 wrote to memory of 1668 3548 wininit.exe 135 PID 3548 wrote to memory of 1668 3548 wininit.exe 135 PID 1668 wrote to memory of 5072 1668 cmd.exe 137 PID 1668 wrote to memory of 5072 1668 cmd.exe 137 PID 1668 wrote to memory of 2296 1668 cmd.exe 138 PID 1668 wrote to memory of 2296 1668 cmd.exe 138 PID 2296 wrote to memory of 4732 2296 wininit.exe 139 PID 2296 wrote to memory of 4732 2296 wininit.exe 139 PID 4732 wrote to memory of 2440 4732 cmd.exe 141 PID 4732 wrote to memory of 2440 4732 cmd.exe 141 PID 4732 wrote to memory of 2812 4732 cmd.exe 142 PID 4732 wrote to memory of 2812 4732 cmd.exe 142 PID 2812 wrote to memory of 2760 2812 wininit.exe 143 PID 2812 wrote to memory of 2760 2812 wininit.exe 143 PID 2760 wrote to memory of 368 2760 cmd.exe 145 PID 2760 wrote to memory of 368 2760 cmd.exe 145 PID 2760 wrote to memory of 1148 2760 cmd.exe 146 PID 2760 wrote to memory of 1148 2760 cmd.exe 146 PID 1148 wrote to memory of 4812 1148 wininit.exe 147 PID 1148 wrote to memory of 4812 1148 wininit.exe 147 PID 4812 wrote to memory of 3796 4812 cmd.exe 149 PID 4812 wrote to memory of 3796 4812 cmd.exe 149 PID 4812 wrote to memory of 5108 4812 cmd.exe 150 PID 4812 wrote to memory of 5108 4812 cmd.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_796fb13d4ec91acabb8ea8447699850ddbc189157e3a9a91c0477a5b83c72012.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1560
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1964
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1988
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5072
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2440
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:368
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3796
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"20⤵PID:3192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1792
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"22⤵PID:1872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3728
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"24⤵PID:968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2896
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"26⤵PID:3704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:3324
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"28⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4768
-
-
C:\Program Files\Internet Explorer\de-DE\wininit.exe"C:\Program Files\Internet Explorer\de-DE\wininit.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
217B
MD53ee9015cfd51552ea24c158844a4d8f2
SHA13011e96c1f995b18393c1f76414a643610db4e47
SHA25610ace3b8e30369fbabd23115aa64a8304053e3531c526fa2780781597b868145
SHA512cb88d6dfe32293ae3ce2026d237d589cb2fc5c9df68868c9a9e20477dbec0d1903e92077aeb4932164cbe2425b885efca448124190a598bb1862694c3b350553
-
Filesize
217B
MD58a537b5381df9182ac1f7b1d6ec170d6
SHA1f99ae01147c002cef03bd0cde311b23664151ff2
SHA2560034ccfef1aad1bf276f5e31684aeeb4c4d55c6379e2ed35b5e21dc3e2e67430
SHA51277d09f63e841937e5d1c709def9b09a3c1903511898e2187fd6f09bfae820383f52a5f84d348687efaa7f956e8200306d0f07fc2e3a34f405665931e96775f1f
-
Filesize
217B
MD5ebb3fb5d2be2a97f5a3e3aaa63b75c76
SHA1c79055fa225fe0cdbbe6cf9603c7b5a497949518
SHA256d6155e6d3af6b7bdb985a35b832613233ff01ebea79ae09e1e0daf23b10d8c1b
SHA512649b5b90e5d0a71bd81a4144189983d871fc012a3f0fec72b62d4fd13d81490acc6fcf5b64109e850d27e490e5cce8d01d95b9393a5e20c070c570d35562165e
-
Filesize
217B
MD572919b8efee24cff5c65ce514cf4c81b
SHA1c08849bf5c3f8bdb892406cf881ed5ea2df6820e
SHA2561853411f71bf7cef57b1d16f93263ee85d0dd2b57de5a7689a10d0954931dce9
SHA5126f805c1518c0b55c973f4e91425798927fcaf5ef5ce038db5806e56019125c967a3c9a1c138bfb871d3cee91226e05dab89199d6063a7bc0828b126101c99c98
-
Filesize
217B
MD5f1bccb54852649c7f6425c1406517303
SHA1a06873e6c1fc165ec6f5f324e1e60e7a50185a19
SHA256d92664ed6d11d42af746713e5325c61271028c3c22664348cb654a338b55895a
SHA51262cb92506ad2c7420d7e55dea3b9703fa86f9638ab231ed871cbabaf89915f287bcd067aa02509fe992869d4945dd9ca0e2eb101199315e5d7ab9aa4f9520d93
-
Filesize
217B
MD501c60724aa7c638a54434a214e5e6fc1
SHA1e853adbd0e9a71caac96583814746530168491a9
SHA25611d16cc14b15536dba9fb2d370a21aebcaea797bec53312829a2b61dc929b2b8
SHA512b15c91f2b3524d737225e7e56725c90980d27adbed61a96c88e98bd1e8e4fddc936fad7db8cc373b802c0e973d3ff71cb620fb21f2b02bb5b008eeab93cb5883
-
Filesize
217B
MD55015524f5b6880d3d965bb67ce73287f
SHA17cdc51293ffad09660b51a3ad6714ed758d6b0d9
SHA2568c30979f9d1afd4963329b319d71894ae8008c6bbb2fa9bbeba9b8024c58c6a8
SHA5122d0e86bf3ac7c6dcdc2df1a86573e850fb4789aa62ad59536cea2203f6c02b0c1042cdc5ea5852243b948ab17723208b99d4d4ebf1fadb7f7f2baff0069ed3b5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD5899ec793015d204393bd0d1b20bf1fdc
SHA1713669757eb0822dd6849a0f0dcd569c9266a1ae
SHA256ed6e62350776e98dc6a7108a451b6cb5418c1a64f101e88e35e560cc9f96f76f
SHA51233f334fd0df3076bf10c5786169feb3036a5b0d354cd5dfbcb3fa0dad8488166461779cfc5a40f607bbf19ba1ae3f29c1351b9fa01324844c70c2c23be8723ac
-
Filesize
217B
MD512bf6a845364b7be0d519cc48bd9874c
SHA137e6c21c5162bbfcc96e37dafa82f2ed36dbc714
SHA2563dbdfdb1c411ea84a2cf989742fe3ea7bdcc27e7cce796cb57a792011e0864ee
SHA512a5757d265d7c93253f45570834f96e999d95f255f80da7fd0956571e71141e6172659de249c2dcc63570756dbaf265855c8942490602f7979bd003bb03dd0907
-
Filesize
217B
MD5fc5238e395c2d8e873d65aa7a3d9f5b5
SHA1fb699ac070d92d927e0dc65630048289e5f14b91
SHA25602f11fcfdf3e86dc502115019c740aff9e7114acca130ebe5da4251cdcff84de
SHA51270836e8051c79aa556cb3ff85cc3a94d2d9018173126da7232a5acd41f762e6888fdedb20f6f8092d700ab71b2922cd81e045040fa836cb84e204383f5501b80
-
Filesize
217B
MD5b2944638cb06df63dd8b1a35aebaed3b
SHA10b61ea5cb4d80bf1c844f0f70c35207856531d88
SHA2560d06d9d0412d896dcffa5005b35ddddd3c574c808f568d730819c972ef349864
SHA512e197513ffb0ce9b2dce1179995e4c5a39143d43fd1bbd91f835a887a042ceb5ab4c0bb371289366cb99d2e1c3baac29fb5fcb1874c4cc0183af23ea61fc1528e
-
Filesize
217B
MD56071a29efef0d412f99fd3f97d3f7635
SHA1ea4d4f734d2e44256c41ec00db904d277547d826
SHA256d818f1ed0d4b7057fa528a7db7ab3ad785572f5c3279298104650743e3231c5c
SHA51261374c4e3b709ed9f051cff3487d7d0b233d90f401dc2082dc09b6985b8bea40d709d59556ec046afdfd9a22f5b94d13bd6e7e59951228b300058c4908b3e13b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478