Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 20:41
Behavioral task
behavioral1
Sample
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe
-
Size
1.3MB
-
MD5
42651fff742c0a5e04db2916591aff08
-
SHA1
5574495235b5fcc6ec78b50b6adb9238c0aaca99
-
SHA256
87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a
-
SHA512
4c7ebc12c746fec891fb6a69d0f73ec8c1769b7abfb5bbd30bf6d1a0a9453fd217b89ea5dd79f8d141206f31025bf2cf269d5f0585c0152517c1241938b128a1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 4280 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 4280 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000e000000023bae-9.dat dcrat behavioral2/memory/3724-13-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 644 powershell.exe 752 powershell.exe 4460 powershell.exe 864 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 14 IoCs
pid Process 3724 DllCommonsvc.exe 2300 fontdrvhost.exe 4344 fontdrvhost.exe 4176 fontdrvhost.exe 1760 fontdrvhost.exe 1428 fontdrvhost.exe 3820 fontdrvhost.exe 4624 fontdrvhost.exe 4992 fontdrvhost.exe 4060 fontdrvhost.exe 1580 fontdrvhost.exe 2924 fontdrvhost.exe 724 fontdrvhost.exe 864 fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 53 raw.githubusercontent.com 14 raw.githubusercontent.com 23 raw.githubusercontent.com 40 raw.githubusercontent.com 45 raw.githubusercontent.com 57 raw.githubusercontent.com 13 raw.githubusercontent.com 44 raw.githubusercontent.com 48 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 30 raw.githubusercontent.com 56 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\appcompat\appraiser\Telemetry\System.exe DllCommonsvc.exe File created C:\Windows\appcompat\appraiser\Telemetry\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4900 schtasks.exe 2080 schtasks.exe 4824 schtasks.exe 812 schtasks.exe 3008 schtasks.exe 4292 schtasks.exe 2252 schtasks.exe 2084 schtasks.exe 1144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3724 DllCommonsvc.exe 752 powershell.exe 4460 powershell.exe 644 powershell.exe 864 powershell.exe 644 powershell.exe 2300 fontdrvhost.exe 752 powershell.exe 4460 powershell.exe 864 powershell.exe 4344 fontdrvhost.exe 4176 fontdrvhost.exe 1760 fontdrvhost.exe 1428 fontdrvhost.exe 3820 fontdrvhost.exe 4624 fontdrvhost.exe 4992 fontdrvhost.exe 4060 fontdrvhost.exe 1580 fontdrvhost.exe 2924 fontdrvhost.exe 724 fontdrvhost.exe 864 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 3724 DllCommonsvc.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 2300 fontdrvhost.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 4344 fontdrvhost.exe Token: SeDebugPrivilege 4176 fontdrvhost.exe Token: SeDebugPrivilege 1760 fontdrvhost.exe Token: SeDebugPrivilege 1428 fontdrvhost.exe Token: SeDebugPrivilege 3820 fontdrvhost.exe Token: SeDebugPrivilege 4624 fontdrvhost.exe Token: SeDebugPrivilege 4992 fontdrvhost.exe Token: SeDebugPrivilege 4060 fontdrvhost.exe Token: SeDebugPrivilege 1580 fontdrvhost.exe Token: SeDebugPrivilege 2924 fontdrvhost.exe Token: SeDebugPrivilege 724 fontdrvhost.exe Token: SeDebugPrivilege 864 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4120 wrote to memory of 4152 4120 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 82 PID 4120 wrote to memory of 4152 4120 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 82 PID 4120 wrote to memory of 4152 4120 JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe 82 PID 4152 wrote to memory of 4540 4152 WScript.exe 83 PID 4152 wrote to memory of 4540 4152 WScript.exe 83 PID 4152 wrote to memory of 4540 4152 WScript.exe 83 PID 4540 wrote to memory of 3724 4540 cmd.exe 85 PID 4540 wrote to memory of 3724 4540 cmd.exe 85 PID 3724 wrote to memory of 864 3724 DllCommonsvc.exe 96 PID 3724 wrote to memory of 864 3724 DllCommonsvc.exe 96 PID 3724 wrote to memory of 644 3724 DllCommonsvc.exe 97 PID 3724 wrote to memory of 644 3724 DllCommonsvc.exe 97 PID 3724 wrote to memory of 752 3724 DllCommonsvc.exe 98 PID 3724 wrote to memory of 752 3724 DllCommonsvc.exe 98 PID 3724 wrote to memory of 4460 3724 DllCommonsvc.exe 99 PID 3724 wrote to memory of 4460 3724 DllCommonsvc.exe 99 PID 3724 wrote to memory of 2300 3724 DllCommonsvc.exe 103 PID 3724 wrote to memory of 2300 3724 DllCommonsvc.exe 103 PID 2300 wrote to memory of 1500 2300 fontdrvhost.exe 105 PID 2300 wrote to memory of 1500 2300 fontdrvhost.exe 105 PID 1500 wrote to memory of 3840 1500 cmd.exe 107 PID 1500 wrote to memory of 3840 1500 cmd.exe 107 PID 1500 wrote to memory of 4344 1500 cmd.exe 111 PID 1500 wrote to memory of 4344 1500 cmd.exe 111 PID 4344 wrote to memory of 4760 4344 fontdrvhost.exe 115 PID 4344 wrote to memory of 4760 4344 fontdrvhost.exe 115 PID 4760 wrote to memory of 2652 4760 cmd.exe 117 PID 4760 wrote to memory of 2652 4760 cmd.exe 117 PID 4760 wrote to memory of 4176 4760 cmd.exe 118 PID 4760 wrote to memory of 4176 4760 cmd.exe 118 PID 4176 wrote to memory of 1220 4176 fontdrvhost.exe 120 PID 4176 wrote to memory of 1220 4176 fontdrvhost.exe 120 PID 1220 wrote to memory of 2476 1220 cmd.exe 122 PID 1220 wrote to memory of 2476 1220 cmd.exe 122 PID 1220 wrote to memory of 1760 1220 cmd.exe 124 PID 1220 wrote to memory of 1760 1220 cmd.exe 124 PID 1760 wrote to memory of 2456 1760 fontdrvhost.exe 125 PID 1760 wrote to memory of 2456 1760 fontdrvhost.exe 125 PID 2456 wrote to memory of 400 2456 cmd.exe 127 PID 2456 wrote to memory of 400 2456 cmd.exe 127 PID 2456 wrote to memory of 1428 2456 cmd.exe 128 PID 2456 wrote to memory of 1428 2456 cmd.exe 128 PID 1428 wrote to memory of 1988 1428 fontdrvhost.exe 129 PID 1428 wrote to memory of 1988 1428 fontdrvhost.exe 129 PID 1988 wrote to memory of 2780 1988 cmd.exe 131 PID 1988 wrote to memory of 2780 1988 cmd.exe 131 PID 1988 wrote to memory of 3820 1988 cmd.exe 132 PID 1988 wrote to memory of 3820 1988 cmd.exe 132 PID 3820 wrote to memory of 3932 3820 fontdrvhost.exe 133 PID 3820 wrote to memory of 3932 3820 fontdrvhost.exe 133 PID 3932 wrote to memory of 592 3932 cmd.exe 135 PID 3932 wrote to memory of 592 3932 cmd.exe 135 PID 3932 wrote to memory of 4624 3932 cmd.exe 136 PID 3932 wrote to memory of 4624 3932 cmd.exe 136 PID 4624 wrote to memory of 3840 4624 fontdrvhost.exe 137 PID 4624 wrote to memory of 3840 4624 fontdrvhost.exe 137 PID 3840 wrote to memory of 1008 3840 cmd.exe 139 PID 3840 wrote to memory of 1008 3840 cmd.exe 139 PID 3840 wrote to memory of 4992 3840 cmd.exe 140 PID 3840 wrote to memory of 4992 3840 cmd.exe 140 PID 4992 wrote to memory of 3632 4992 fontdrvhost.exe 141 PID 4992 wrote to memory of 3632 4992 fontdrvhost.exe 141 PID 3632 wrote to memory of 3712 3632 cmd.exe 143 PID 3632 wrote to memory of 3712 3632 cmd.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87d9f864331be955c76967b41393d770c1ff2f452c748a68b5c5c4408802449a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3840
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2652
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2476
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:400
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2780
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:592
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1008
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"20⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3712
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"22⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1612
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"24⤵PID:2932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3596
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"26⤵PID:5016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4392
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"28⤵PID:1044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2072
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"30⤵PID:116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:1764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\appraiser\Telemetry\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
202B
MD51aeb036de22d634742f61ec099af055f
SHA1fad973a871e17aa55b6aa5fa749799ae7461e329
SHA2569b662deb69cab4478beb5bfeb7860275213dfaf17e93af557419290e86928e09
SHA512a7d9314c5f99e6740c0fe11593eb88601e8124fce0ea7d2dc130beae7c7bfed4b52007d62679422d0ea1d66e89435963e216d0aa53c9c035e9733a727588c364
-
Filesize
202B
MD5c98ce57b9289d4837cd3c06354a253dc
SHA1e896e6fa9cae05fe1bc56a4cab29b7647ccce318
SHA256e26f39f5533c99cfeb1762b3e51648ee1c563ce5472d7626ded61fefbbc13d95
SHA5126a150d3ed20a70ae6717bd33745262efaa32d8e5f8734d2b64e816956ea454369239bbcec1adb8c0bd3cbb7c8e8b48f513f3684c9e3e2b526da9ee9890d8fcc9
-
Filesize
202B
MD570025350638da5b208fe8860daef7c12
SHA15d43ef428a6e1ff62e6422140d9c76bf48b48299
SHA256d1678284a7736fbfbabb96da43a732429bb39ce2f830e779d66acdf16063cf4d
SHA5124fece6bb7c3afbb0b748827143eedd4b4a16f8abaf8cec603e017a3a75fd23732b30e36270d722fdfca4cb71c53a03c563a81db428ffc7f83132548038f9e99b
-
Filesize
202B
MD5ab5e3ea2902e45ff87a3f0da7787c2a2
SHA1b8533f5e4a9e9f9c6951b188bde871cc6b2456e3
SHA25685f88906ef487f5075d260fb3137d979545c63ff88309b3ad7a738e940b545a7
SHA512b9b2b510940694e104992c340f75fea375d7c728b11af82022fed14b6815ac053ab7c6983762679d9d851ede2f84343e7c3029c714e6a627bfeddb8d991379c6
-
Filesize
202B
MD5f2ea2b031dd6199ce6ef84dfe4819ce9
SHA19ebbf1a56e21b20e024c34cebc20801f5da941f8
SHA2564a14ec6178a8c2160dbe405f37e4aab36fbbf0cbdf00c8e25daa1c4f0c951ee3
SHA512dc9197662e310bf8c6563b31ede19b563d19706b004501e15d13f0448ebc3e262e7f43201d40b5241eed2eb57eb29249b73a00e60163ed4ec5f29eae0d1fdb94
-
Filesize
202B
MD54aff229343086caf8e3ff89efd78c081
SHA137f80bb77b80e28b9ec38919023b5003c9b4dd9c
SHA2564c78df485f40337e9ba3f95c48b3ed6727fd02cdb7cb9cd9f0510003f4d57611
SHA512cc6c709056ce62b89fea6a8355dfb561199800fa11ebc322f13e894b71a9d42e9300b2d9af1164a4ad179bc68ed348d1ab158e2d56c7bb45eb775f56565bb639
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
202B
MD5760c8347641449849b1601e8ca56a56a
SHA17f8b10afa7410598e9af22aad805af44e8a0bf83
SHA25671a4b26117521712855f6e6b4d74af0c769aac669821762cef21a13a65198edd
SHA512d4f7292a9353fc7e3088e47a0a9a1dfc3463d27ec5f4dd5c2f2c8f83227855228e393ae65dde7f9801f1da8ba895d126f8f3de7cc19b88674185cdfa3e1d0c00
-
Filesize
202B
MD5bcc3d9c4c13d7179e75858bfc76c380a
SHA1f77c391495fdec16193cc479216b324415bb2979
SHA256e8f67878d59ec5339077f3f52d321110cb6aec21788b8d3e6618ebb245b1bccc
SHA512525a2557de69876901dbf80aa801091c0546bfc538d2731a7e0c03c16a6b6efa2ba9d7e961130cdf093dcad3afe88823317179b65676d93727e10c913bd627a8
-
Filesize
202B
MD56bdbc67b5c817ae6f05f1158f88e7478
SHA14c2acd2d605f9f8c4f22499d8fceb862bc8d8269
SHA256dae8ed4217116df7eb43e97e9dbcda533ba9aa0817ba1cf45ea9a72dbe4a7692
SHA5122790c4f5f1c24a8084df26731638445f9d6438ee4f74ff0356598d90d596afe23eef467579185c3639793ef4bfd01844f5acf231b595c9c3cabdf218d23747fc
-
Filesize
202B
MD58115e9730501787aebb566a55a46ebdb
SHA1d91d52474d7bd01a1d14b2f35adc547f478033b0
SHA256a4d3a1a0e22b7a0d82a187913c2f183f3cbbfffb64fe7e33294ae4a6e42e6e27
SHA512946a893f12f75b335a6dce7ed3f7b94671d7efbea42c54d686ef9242cfae18808cb35835ea5b6be94770009da1eaa5f0c3e0eefb74201f1f9f34f69eb85ab891
-
Filesize
202B
MD5236f8dbe37593d1c39b5987ac2b1bac1
SHA1d03ff090396e4fc02b9621b79d8dd23554181aaf
SHA256d729860d45d9eb054adbbe8a2088f9723358182fdb88b8f56fe31e7021aca3c2
SHA512ffb217e746f9014de50ec5cebfe631b305bac3612c8b5820eb12fe8ee71ed0d86ef11d01644454d8107dbd9da8442c387344e535a6a9a628408dbc249f6c0a35
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478