Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 02:48
Behavioral task
behavioral1
Sample
JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe
-
Size
1.3MB
-
MD5
e528a270f37e906c1aab696b5cb6249b
-
SHA1
6a0e39acd6078a45ad016fdf0e7720a9e3970ba5
-
SHA256
674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c
-
SHA512
15786861b57c0a7158d73267c21f84702cc1d7be93d83499c84e5e47adc55c5dcb0d15696b6b8070a4925507571e2f697e33bae270e3e10f0f5f40c2dea20f20
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 8 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 8 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 8 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 8 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 8 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 8 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0008000000023bb9-10.dat dcrat behavioral2/memory/412-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5000 powershell.exe 3616 powershell.exe 4452 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation sysmon.exe -
Executes dropped EXE 15 IoCs
pid Process 412 DllCommonsvc.exe 4540 sysmon.exe 968 sysmon.exe 1224 sysmon.exe 4888 sysmon.exe 1100 sysmon.exe 3296 sysmon.exe 548 sysmon.exe 3984 sysmon.exe 928 sysmon.exe 3668 sysmon.exe 2744 sysmon.exe 3076 sysmon.exe 4104 sysmon.exe 2416 sysmon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 43 raw.githubusercontent.com 58 raw.githubusercontent.com 60 raw.githubusercontent.com 14 raw.githubusercontent.com 20 raw.githubusercontent.com 57 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 48 raw.githubusercontent.com 49 raw.githubusercontent.com 52 raw.githubusercontent.com 59 raw.githubusercontent.com 37 raw.githubusercontent.com 44 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe DllCommonsvc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\http\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\121e5b5079f7c0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings sysmon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3068 schtasks.exe 3548 schtasks.exe 1860 schtasks.exe 4036 schtasks.exe 5052 schtasks.exe 3392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 412 DllCommonsvc.exe 4452 powershell.exe 5000 powershell.exe 3616 powershell.exe 3616 powershell.exe 4452 powershell.exe 5000 powershell.exe 4540 sysmon.exe 968 sysmon.exe 1224 sysmon.exe 4888 sysmon.exe 1100 sysmon.exe 3296 sysmon.exe 548 sysmon.exe 3984 sysmon.exe 928 sysmon.exe 3668 sysmon.exe 2744 sysmon.exe 3076 sysmon.exe 4104 sysmon.exe 2416 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 412 DllCommonsvc.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 4540 sysmon.exe Token: SeDebugPrivilege 968 sysmon.exe Token: SeDebugPrivilege 1224 sysmon.exe Token: SeDebugPrivilege 4888 sysmon.exe Token: SeDebugPrivilege 1100 sysmon.exe Token: SeDebugPrivilege 3296 sysmon.exe Token: SeDebugPrivilege 548 sysmon.exe Token: SeDebugPrivilege 3984 sysmon.exe Token: SeDebugPrivilege 928 sysmon.exe Token: SeDebugPrivilege 3668 sysmon.exe Token: SeDebugPrivilege 2744 sysmon.exe Token: SeDebugPrivilege 3076 sysmon.exe Token: SeDebugPrivilege 4104 sysmon.exe Token: SeDebugPrivilege 2416 sysmon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2804 2484 JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe 83 PID 2484 wrote to memory of 2804 2484 JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe 83 PID 2484 wrote to memory of 2804 2484 JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe 83 PID 2804 wrote to memory of 4636 2804 WScript.exe 85 PID 2804 wrote to memory of 4636 2804 WScript.exe 85 PID 2804 wrote to memory of 4636 2804 WScript.exe 85 PID 4636 wrote to memory of 412 4636 cmd.exe 87 PID 4636 wrote to memory of 412 4636 cmd.exe 87 PID 412 wrote to memory of 5000 412 DllCommonsvc.exe 96 PID 412 wrote to memory of 5000 412 DllCommonsvc.exe 96 PID 412 wrote to memory of 3616 412 DllCommonsvc.exe 97 PID 412 wrote to memory of 3616 412 DllCommonsvc.exe 97 PID 412 wrote to memory of 4452 412 DllCommonsvc.exe 98 PID 412 wrote to memory of 4452 412 DllCommonsvc.exe 98 PID 412 wrote to memory of 4540 412 DllCommonsvc.exe 102 PID 412 wrote to memory of 4540 412 DllCommonsvc.exe 102 PID 4540 wrote to memory of 2460 4540 sysmon.exe 104 PID 4540 wrote to memory of 2460 4540 sysmon.exe 104 PID 2460 wrote to memory of 4988 2460 cmd.exe 106 PID 2460 wrote to memory of 4988 2460 cmd.exe 106 PID 2460 wrote to memory of 968 2460 cmd.exe 108 PID 2460 wrote to memory of 968 2460 cmd.exe 108 PID 968 wrote to memory of 4720 968 sysmon.exe 110 PID 968 wrote to memory of 4720 968 sysmon.exe 110 PID 4720 wrote to memory of 4460 4720 cmd.exe 112 PID 4720 wrote to memory of 4460 4720 cmd.exe 112 PID 4720 wrote to memory of 1224 4720 cmd.exe 119 PID 4720 wrote to memory of 1224 4720 cmd.exe 119 PID 1224 wrote to memory of 3068 1224 sysmon.exe 123 PID 1224 wrote to memory of 3068 1224 sysmon.exe 123 PID 3068 wrote to memory of 4648 3068 cmd.exe 126 PID 3068 wrote to memory of 4648 3068 cmd.exe 126 PID 3068 wrote to memory of 4888 3068 cmd.exe 133 PID 3068 wrote to memory of 4888 3068 cmd.exe 133 PID 4888 wrote to memory of 1404 4888 sysmon.exe 135 PID 4888 wrote to memory of 1404 4888 sysmon.exe 135 PID 1404 wrote to memory of 4964 1404 cmd.exe 137 PID 1404 wrote to memory of 4964 1404 cmd.exe 137 PID 1404 wrote to memory of 1100 1404 cmd.exe 139 PID 1404 wrote to memory of 1100 1404 cmd.exe 139 PID 1100 wrote to memory of 1916 1100 sysmon.exe 141 PID 1100 wrote to memory of 1916 1100 sysmon.exe 141 PID 1916 wrote to memory of 3836 1916 cmd.exe 143 PID 1916 wrote to memory of 3836 1916 cmd.exe 143 PID 1916 wrote to memory of 3296 1916 cmd.exe 145 PID 1916 wrote to memory of 3296 1916 cmd.exe 145 PID 3296 wrote to memory of 3872 3296 sysmon.exe 147 PID 3296 wrote to memory of 3872 3296 sysmon.exe 147 PID 3872 wrote to memory of 4740 3872 cmd.exe 149 PID 3872 wrote to memory of 4740 3872 cmd.exe 149 PID 3872 wrote to memory of 548 3872 cmd.exe 151 PID 3872 wrote to memory of 548 3872 cmd.exe 151 PID 548 wrote to memory of 3392 548 sysmon.exe 153 PID 548 wrote to memory of 3392 548 sysmon.exe 153 PID 3392 wrote to memory of 3404 3392 cmd.exe 155 PID 3392 wrote to memory of 3404 3392 cmd.exe 155 PID 3392 wrote to memory of 3984 3392 cmd.exe 157 PID 3392 wrote to memory of 3984 3392 cmd.exe 157 PID 3984 wrote to memory of 4332 3984 sysmon.exe 159 PID 3984 wrote to memory of 4332 3984 sysmon.exe 159 PID 4332 wrote to memory of 2068 4332 cmd.exe 161 PID 4332 wrote to memory of 2068 4332 cmd.exe 161 PID 4332 wrote to memory of 928 4332 cmd.exe 163 PID 4332 wrote to memory of 928 4332 cmd.exe 163 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_674b0e9306ee438b50e6facff73dbc3a10a48e3cd1d6b7df39d96a6914a0a25c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4988
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4460
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4648
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4964
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3836
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4740
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3404
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"20⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2068
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"22⤵PID:4112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3320
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"24⤵PID:3588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:5012
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"26⤵PID:2260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4804
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"28⤵PID:3112
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1860
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"30⤵PID:1652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4356
-
-
C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
215B
MD502923d17619517693633e52dcf28735f
SHA13ab44b8289ef113d251962ddcd5adfaa63b10ffa
SHA256def61b8c8df9e43f43b9c104532da5909295a1701fc323b8345cbaf2e7e288ea
SHA5128694a351ecd61d5aa2d97eed13951c094b976b9483751002a7f9d0d7d1ebc20350b1c80eba41a12e34630d55f0347b7adf71214e13c13fb8b7c7e1fa780e54eb
-
Filesize
215B
MD5a97d547ff0d82000c21b42ed1422449b
SHA128df52a93ba1dec3b54295b660efbd7177b7a343
SHA256b66371d4a7c40b57ddfe21719e21e3797312d2c04e5a1f91b3632137acfb8e34
SHA512a513b428333ff990f3b4cd301f248d8946ebb6e298fcf6c266231b49c40be1a7745a0cd2da216cfced9ca4f836d714eb138914e16fd5d6f317cc7b3370251782
-
Filesize
215B
MD5aafc79d706e5814c56321c63aaede31c
SHA1831908965b91c4729d7d3dfbc757e4b0597f9b9a
SHA256187eb8b02dd0cbadf00fc4365448b368b62f0bec1024c73a8beac8c6728b84a0
SHA51268dc993be0504c3cecf385eb0a50540262e688edc24dccf4e1d2edaac051e4a81956ec6005b560fbdddfde74421972e32decc432ca9c359e8d6e18514f47b271
-
Filesize
215B
MD503d17eed9d7b9d49a8d5aed6006e0ae7
SHA12a85e401fd798bfb19b813f75f63489c4aab229b
SHA2563510fea14a3b4c930a48c4d7b44908103ee7ef85171d99ce0568b5bdbf6d71a5
SHA512d6050f239a9a96cb8124b2b0e08b764507d04e45cbadb49bd6a2cbec4349898d591f27132021b7be69a26f9bb53e39dbf5568e654f1f1fed8ea46cfd8e43e19d
-
Filesize
215B
MD5da5db77673fd3948bc018e367a843f09
SHA13268e31f2e99dba0074fb156f1c8c8acf9cd1365
SHA256e66b7713f972f8f675c4d6d0e2907ea00455d973ce86703e230aa61d38ccb786
SHA512893688ef8d11130980144e3b2095f19604decc0df8c183450a8b30c9386f301c5ed83d0b2f9b28309efefdc7cdb9baa401099b45a1e02dbf56715fc33ad8f01c
-
Filesize
215B
MD5f612c8218d78c3827d3b311966ed6df8
SHA1f14b800b35ce85055a03e6925d4110809edec705
SHA2561e2417c19362695d0f04ded09904e7b4e71447edf0601ca0a4e1ddb57d0e7c86
SHA512ba2c7ae9b7d6e3755b5c8cd69ad53cc37960ad6f9a1cec95e8ba02c54f07dbf63e4ab0923b243e1d7b819eed3778e3889b0169d573e76163d25d6c8ad3859706
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
215B
MD571c17b25a98f5b99028ea703504af749
SHA14f9304cdba60214afa99b97a7f8616cf6ce12618
SHA256fd669c4f905510865a7b71a4aabde0bacc2a2e190275f999934c3aca3aa8a66b
SHA512f4fadf577e4941f1f8ff46dd00b10f42e2489ee6f88bf49d8d97121b8bcb75087be959e6dd15adf80c2101cc31ec95149bf4bab934f1c7f48b1484335a039438
-
Filesize
215B
MD51ebde8838f7e121ab8ccc89dda167a46
SHA1b7651a3c661686385ee30b691710d7c38ff3275d
SHA25625155dbd4ea2d46ec35ca6dffb48dadc1e53ac25c07f6f1ff540ae707b869396
SHA512796235497abebe56425a35f63b84971260ee4ae376af9c9393a9d7a68102047c7dc185b5fefbff9895200ad4a392c522b6701c59ea56bda1a1c14fcc807708b9
-
Filesize
215B
MD5f41ccfb86d3bce22264452d5d8364fec
SHA1747a569bef73177b4d30631651ecb62759b45e73
SHA2561b5eaa794f7a476eb2743aa43cc58c8745678face2059a3ee9010ce16dee3c9c
SHA5124791e69de7298bf796b65fd1f6fadcd341603ce9589f28215a712dc48eebc7ed16aaed6a1b243503971c2a74ef41f42cb4848f926d021eb68ae15f7fe50106ea
-
Filesize
215B
MD5658112f873226ccfb9691f221ae8d4e4
SHA128074cca5a3b684e43b416934afb77cedc201e99
SHA25632cefa0cf45a4d61127360dd40c7587c54d86e9601acf7ebf76b700df1c5c374
SHA512a54c704cad76c088f401dfc40c903a5738709629bdf4d62e8465193cac9b9318792d1f0100e1b3eeeddb60886fc39e94e55486276718cb9da985c4b4b043115c
-
Filesize
215B
MD5116c2ff937a6b533fd41baee8b0cc726
SHA1ab1b847ee231e67722739f1c3870a3c9592f6be7
SHA2566774df72fd231169f7cf73fd6ebbd64f1b77a7a3c6c546ec0af24ea45ebb2088
SHA512e43b9c41bbc7d5b2a773a6aa0b275bd2e7af7739063cdd3337723e135b42be85caa8935786d35fecc10bc6730eac6f4ac1db69d9e670bdfaeac37ee8c200a9d3
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478