Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 01:12
Behavioral task
behavioral1
Sample
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
-
Size
1.3MB
-
MD5
fd4723d4daed5b787199a3d5e21040b5
-
SHA1
533cff7711b4d262509260280227fcb0d0433b67
-
SHA256
cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5
-
SHA512
821cc704eaacd6cdf1891a382629ada668952d151bdd30acc8e657bcf50d6cdd1c2f9e584cbf99a40e53af726600ac7ab413ed4f3c42a90cf805b089dd043cf9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 4448 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 4448 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b4e-10.dat dcrat behavioral2/memory/4856-13-0x0000000000100000-0x0000000000210000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2740 powershell.exe 5024 powershell.exe 1812 powershell.exe 1840 powershell.exe 4784 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe -
Executes dropped EXE 16 IoCs
pid Process 4856 DllCommonsvc.exe 1520 dllhost.exe 2232 dllhost.exe 3304 dllhost.exe 3272 dllhost.exe 4276 dllhost.exe 1336 dllhost.exe 4200 dllhost.exe 4320 dllhost.exe 3436 dllhost.exe 2988 dllhost.exe 1484 dllhost.exe 4456 dllhost.exe 3528 dllhost.exe 4560 dllhost.exe 4520 dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 46 raw.githubusercontent.com 55 raw.githubusercontent.com 15 raw.githubusercontent.com 45 raw.githubusercontent.com 47 raw.githubusercontent.com 54 raw.githubusercontent.com 57 raw.githubusercontent.com 58 raw.githubusercontent.com 59 raw.githubusercontent.com 16 raw.githubusercontent.com 24 raw.githubusercontent.com 39 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com 56 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Offline Web Pages\dllhost.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\5940a34987c991 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 964 schtasks.exe 5000 schtasks.exe 4320 schtasks.exe 532 schtasks.exe 3984 schtasks.exe 4604 schtasks.exe 1052 schtasks.exe 1964 schtasks.exe 2148 schtasks.exe 1872 schtasks.exe 3616 schtasks.exe 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4856 DllCommonsvc.exe 4856 DllCommonsvc.exe 4856 DllCommonsvc.exe 4856 DllCommonsvc.exe 4856 DllCommonsvc.exe 4784 powershell.exe 1840 powershell.exe 1812 powershell.exe 2740 powershell.exe 5024 powershell.exe 2740 powershell.exe 4784 powershell.exe 1520 dllhost.exe 1812 powershell.exe 1840 powershell.exe 5024 powershell.exe 2232 dllhost.exe 3304 dllhost.exe 3272 dllhost.exe 4276 dllhost.exe 1336 dllhost.exe 4200 dllhost.exe 4320 dllhost.exe 3436 dllhost.exe 2988 dllhost.exe 1484 dllhost.exe 4456 dllhost.exe 3528 dllhost.exe 4560 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 4856 DllCommonsvc.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 1520 dllhost.exe Token: SeDebugPrivilege 2232 dllhost.exe Token: SeDebugPrivilege 3304 dllhost.exe Token: SeDebugPrivilege 3272 dllhost.exe Token: SeDebugPrivilege 4276 dllhost.exe Token: SeDebugPrivilege 1336 dllhost.exe Token: SeDebugPrivilege 4200 dllhost.exe Token: SeDebugPrivilege 4320 dllhost.exe Token: SeDebugPrivilege 3436 dllhost.exe Token: SeDebugPrivilege 2988 dllhost.exe Token: SeDebugPrivilege 1484 dllhost.exe Token: SeDebugPrivilege 4456 dllhost.exe Token: SeDebugPrivilege 3528 dllhost.exe Token: SeDebugPrivilege 4560 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4408 3212 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 82 PID 3212 wrote to memory of 4408 3212 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 82 PID 3212 wrote to memory of 4408 3212 JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe 82 PID 4408 wrote to memory of 2080 4408 WScript.exe 83 PID 4408 wrote to memory of 2080 4408 WScript.exe 83 PID 4408 wrote to memory of 2080 4408 WScript.exe 83 PID 2080 wrote to memory of 4856 2080 cmd.exe 85 PID 2080 wrote to memory of 4856 2080 cmd.exe 85 PID 4856 wrote to memory of 2740 4856 DllCommonsvc.exe 99 PID 4856 wrote to memory of 2740 4856 DllCommonsvc.exe 99 PID 4856 wrote to memory of 5024 4856 DllCommonsvc.exe 100 PID 4856 wrote to memory of 5024 4856 DllCommonsvc.exe 100 PID 4856 wrote to memory of 1812 4856 DllCommonsvc.exe 101 PID 4856 wrote to memory of 1812 4856 DllCommonsvc.exe 101 PID 4856 wrote to memory of 1840 4856 DllCommonsvc.exe 102 PID 4856 wrote to memory of 1840 4856 DllCommonsvc.exe 102 PID 4856 wrote to memory of 4784 4856 DllCommonsvc.exe 103 PID 4856 wrote to memory of 4784 4856 DllCommonsvc.exe 103 PID 4856 wrote to memory of 1520 4856 DllCommonsvc.exe 108 PID 4856 wrote to memory of 1520 4856 DllCommonsvc.exe 108 PID 1520 wrote to memory of 3892 1520 dllhost.exe 110 PID 1520 wrote to memory of 3892 1520 dllhost.exe 110 PID 3892 wrote to memory of 912 3892 cmd.exe 112 PID 3892 wrote to memory of 912 3892 cmd.exe 112 PID 3892 wrote to memory of 2232 3892 cmd.exe 116 PID 3892 wrote to memory of 2232 3892 cmd.exe 116 PID 2232 wrote to memory of 4816 2232 dllhost.exe 120 PID 2232 wrote to memory of 4816 2232 dllhost.exe 120 PID 4816 wrote to memory of 440 4816 cmd.exe 122 PID 4816 wrote to memory of 440 4816 cmd.exe 122 PID 4816 wrote to memory of 3304 4816 cmd.exe 123 PID 4816 wrote to memory of 3304 4816 cmd.exe 123 PID 3304 wrote to memory of 3056 3304 dllhost.exe 126 PID 3304 wrote to memory of 3056 3304 dllhost.exe 126 PID 3056 wrote to memory of 4040 3056 cmd.exe 128 PID 3056 wrote to memory of 4040 3056 cmd.exe 128 PID 3056 wrote to memory of 3272 3056 cmd.exe 129 PID 3056 wrote to memory of 3272 3056 cmd.exe 129 PID 3272 wrote to memory of 3096 3272 dllhost.exe 130 PID 3272 wrote to memory of 3096 3272 dllhost.exe 130 PID 3096 wrote to memory of 3260 3096 cmd.exe 132 PID 3096 wrote to memory of 3260 3096 cmd.exe 132 PID 3096 wrote to memory of 4276 3096 cmd.exe 133 PID 3096 wrote to memory of 4276 3096 cmd.exe 133 PID 4276 wrote to memory of 1812 4276 dllhost.exe 134 PID 4276 wrote to memory of 1812 4276 dllhost.exe 134 PID 1812 wrote to memory of 1452 1812 cmd.exe 136 PID 1812 wrote to memory of 1452 1812 cmd.exe 136 PID 1812 wrote to memory of 1336 1812 cmd.exe 137 PID 1812 wrote to memory of 1336 1812 cmd.exe 137 PID 1336 wrote to memory of 2212 1336 dllhost.exe 138 PID 1336 wrote to memory of 2212 1336 dllhost.exe 138 PID 2212 wrote to memory of 4528 2212 cmd.exe 140 PID 2212 wrote to memory of 4528 2212 cmd.exe 140 PID 2212 wrote to memory of 4200 2212 cmd.exe 141 PID 2212 wrote to memory of 4200 2212 cmd.exe 141 PID 4200 wrote to memory of 4904 4200 dllhost.exe 142 PID 4200 wrote to memory of 4904 4200 dllhost.exe 142 PID 4904 wrote to memory of 4328 4904 cmd.exe 144 PID 4904 wrote to memory of 4328 4904 cmd.exe 144 PID 4904 wrote to memory of 4320 4904 cmd.exe 145 PID 4904 wrote to memory of 4320 4904 cmd.exe 145 PID 4320 wrote to memory of 3540 4320 dllhost.exe 146 PID 4320 wrote to memory of 3540 4320 dllhost.exe 146 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:912
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:440
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4040
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3260
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1452
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4528
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4328
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"20⤵PID:3540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4816
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"22⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3788
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"24⤵PID:1264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1796
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"26⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4276
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"28⤵PID:4580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4696
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"30⤵PID:672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4892
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"32⤵PID:3700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:244
-
-
C:\Windows\Offline Web Pages\dllhost.exe"C:\Windows\Offline Web Pages\dllhost.exe"33⤵
- Executes dropped EXE
PID:4520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
119B
MD5fad926bf02f67fd6caf78778d3e43e37
SHA180b41a99ca8d4cbe336c04ae1dc7493ca750aabf
SHA2562f71445e093de0ee1d7e78c6aa4aa8ee34288d0959c1ffd1e0b7dff8edbc9e56
SHA5129adc9de17cd3b5197cbd65147a52d85b278364b5eaf7f302a9fff31390b89218ba328c2a424a6cf30c84fed1e03671e069d97b5317ee0993c6ad0056f3896be1
-
Filesize
205B
MD52b5f0a11f5edd9a0e6ce856ba63ec6bb
SHA140364a17a22713f61066a418516ab845c30d59ad
SHA25625c77ba2553bf00b3cf4729bfaa4aad8c3d228c7a7452958f376064ae7f2e28d
SHA512fd929a3d0ce852cc0ac2c977775038d4a6711b03370e5356170a4ae9956d5b4b748f0cda64a3c29ec710f1db885a9dfb7457ae40d24ad723f8f579f8f210b8cc
-
Filesize
205B
MD54de336c0d7fe9e4b9e2a864ba37e3774
SHA1377b76033aada950ab7ad19c6635b3d7be2b53dd
SHA25670f8e4b6a6b1540e447babd53354b7d5752c05249e0ce89bf800b154a598640c
SHA51227fa8e4f82f403a56b69662789b026e3966b66cbb2e73bd6356324dc7c4959dc6c250efe049438cb53a4e63f1d7f013dd520977b7b4fea98996a1f67c1ef780f
-
Filesize
205B
MD5ea08afaffbf02b67d06529c715399d30
SHA1cc936e9068f4aa69018a00ba920c4be95eac2d69
SHA256dd09ff642109114ad40335af03725b67d2b0ab06c77c1d8211d163da2d188df9
SHA512607d7a4471c33c657b4a6036d81fbfede978f67d03cee17a72f347dfdaf73c943f7a79575a224f2372b14445256cbf577ade709674e3ea8eccbf29f2d4934076
-
Filesize
205B
MD54e3117475d59e73fe2ce6dde9c12a321
SHA158404357ca96b2fe8021f5e54d5da8858377c0cf
SHA2566a723e968f2afedfafa189e5344e96139e7c60e15e15f63aa4dbb092f28cb364
SHA5126bcc12ae5b626f585732885689a95430fc1945e54d1bca37fac2f3b6b351e72e7ba3f2950648673be136090ced77cb87dd0460a677f22bdd02a943e029417dd7
-
Filesize
205B
MD59a04c44e1bcc580c622a18361c2b3418
SHA1d723c9ae73fd566ff968f973956e9334a2876cfc
SHA256453cb199508742b825d176619a22564c75273f3fed723df376cb86b6071d2e3e
SHA512bd1d77953a9f57841bfe128247c9ba0e3bfc2b191092ab55e4bcc7cd1d52fa11ef15adc2da4bebb3466c904a3654c12449990e227202850ca85a72ccd9e04fd1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
205B
MD5562c8905a641ae8dcf849d631dca8c81
SHA15a108f90697cd766739b218f5688d5e6b01dbfcc
SHA2566e9bc302a38ab45ce241888aef5bceab16246e38888f1ceef35f0685b5f3c0d4
SHA512314724ad2862b3d22fe703667d210517eea57b34c9192b8fcce5eb02c8a3dbe50546bf2686eabe0e568eb3d5aa70717e4ecd39bc4443dca572690c5f9b266f33
-
Filesize
205B
MD5f5df0bad936959f0e60b87303115cf2f
SHA14b7e43a22294eb41e21df36884b85c186c643ac0
SHA2562e65e09c317362363ed789740831110ec5e344cd1261a1c474ca420194e85c89
SHA512259f44eb05dc67b97800125dcf109a5fe279a07aeb2c97ad953dd4f5a8dcc2d24fc988b65b54ff602f3075c0dc75765a2103279687e21c987355772a077d6cae
-
Filesize
205B
MD56db0462d2224fb62bd38b73e5abd0880
SHA144871b4dd7e57a90469475abbe0544f1e7211e0d
SHA25625c5b15b87a4578b6c0eca7bb4bcde2b2ba462c0ccedd0f2fa12d00204f0c110
SHA5125ef6ab06d34333386f2b7945e3ff8de2a5dd6ff2d848b76bab51bce8034ec8a33d1743a1c2d0322971e7cb98108ab15c0c75fe67b6db337a2b288255de7efc99
-
Filesize
205B
MD5257dac3d890a91256cdc6160472e3f95
SHA1a0f29b85e794057e8ebf50834e9fbf7ad53e6126
SHA256ee7fea31bb316c8e71824f0462d9774a907bb3bd9939af11d41a097e505b57e3
SHA5126802e4bc9ee063b436756914b138690c6abab70548c2b3906396becc2e1584857b1eb92588616eceef7848ef8a198a23dc1adc4e78b8844f25599f5285d22f8d
-
Filesize
205B
MD561bb84d2d0a8c9c833846da56cc50ce6
SHA18f63879d171b41b262ab93aab68c5d22884b51e2
SHA2561bef605faa71c32815ad06ac016bd838d633862a6f9f6f6ec762693c599d4dd8
SHA512e2ae2a79acc9d129059c5a0cb71b3b5628fdc1dd56ec3072ecc23061f7920d03b7ad94017ac12d36c33913b0ce19535c10cf850d4ab85de450c6c895e0493848
-
Filesize
205B
MD55f1719200284678ac748af612a82a85d
SHA10679d12a48fde8f61ff3bdc583ebca7c09a98a63
SHA256d0323d12ef9cbfcc2cfc1f94203111eb26024be8d1b2b69cda3f874bba0959d1
SHA512b20ea404230e20a53980c9e66267fff597978e0d26b48f00f164a911463195e0655e894cd241ed55b3637b0ea1cc85b1a9d2ce519c97a219dec81e6174a74fed
-
Filesize
205B
MD5859101ab45bbabb5f5534e2dadf1dab8
SHA184b41326729b328fb0ee0701e943d146c44de53a
SHA2569944cd416aef891c1ee284c6c167d616e98ca4ae5169c17b71e5ec0f5995111f
SHA512544fd78ab652aa0f6c9eb47a15dd9cacc050fbdf485bab91bbcce88351f06a8465e4a1d6fc5154623a407b65b9d07a1a1047a3aa344c73a5f78e298159351452
-
Filesize
205B
MD58861f21ae3814b82b71c30bf8eaf8bcf
SHA1c11905b0b693fff825fbca1b22643b1d3ad43a41
SHA256797b493b669ff11c541fc022e2c40708aed9886d17cf60881a5f4bd75f7ab4f3
SHA51260810fb29ad8777c2b504188188a1749e25cbab32e288ca75ecc7be31523fa855090c1fff630c2250387cb61f018e262b42f9764903b077eb5efc7395e257bc9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478