Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 05:10
Behavioral task
behavioral1
Sample
JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
-
Size
1.3MB
-
MD5
427f7790d059cd2061ba031492d36424
-
SHA1
ee9e9244d72b852328b8b8666801c02b056dd21c
-
SHA256
0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe
-
SHA512
f981d1e04e6ef86de82f42f66e96c8896aa452fea6ff78a2856b9d8bc7fca28be6211b85aeac2e6b46f2a69c43e3408e8e4fe73805d0280082c3ef9f84b41862
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 100 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3772 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 3772 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x000a000000023b88-10.dat dcrat behavioral2/memory/3784-13-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2008 powershell.exe 2096 powershell.exe 2552 powershell.exe 4060 powershell.exe 4840 powershell.exe 3972 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 15 IoCs
pid Process 3784 DllCommonsvc.exe 3712 upfc.exe 4460 upfc.exe 4844 upfc.exe 4768 upfc.exe 4812 upfc.exe 2032 upfc.exe 3172 upfc.exe 3148 upfc.exe 1384 upfc.exe 4016 upfc.exe 4980 upfc.exe 2608 upfc.exe 2128 upfc.exe 3992 upfc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 53 raw.githubusercontent.com 20 raw.githubusercontent.com 38 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com 52 raw.githubusercontent.com 39 raw.githubusercontent.com 44 raw.githubusercontent.com 42 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 19 raw.githubusercontent.com 30 raw.githubusercontent.com 56 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\dllhost.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\dotnet\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\dotnet\9e8d7a4ca61bd9 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings upfc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4464 schtasks.exe 3252 schtasks.exe 4056 schtasks.exe 3292 schtasks.exe 220 schtasks.exe 3704 schtasks.exe 2944 schtasks.exe 4052 schtasks.exe 2824 schtasks.exe 4792 schtasks.exe 3756 schtasks.exe 4116 schtasks.exe 208 schtasks.exe 4984 schtasks.exe 100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 3784 DllCommonsvc.exe 2552 powershell.exe 2008 powershell.exe 2552 powershell.exe 4840 powershell.exe 3972 powershell.exe 4060 powershell.exe 4060 powershell.exe 2096 powershell.exe 2008 powershell.exe 4840 powershell.exe 3972 powershell.exe 2096 powershell.exe 3712 upfc.exe 4460 upfc.exe 4844 upfc.exe 4768 upfc.exe 4812 upfc.exe 2032 upfc.exe 3172 upfc.exe 3148 upfc.exe 1384 upfc.exe 4016 upfc.exe 4980 upfc.exe 2608 upfc.exe 2128 upfc.exe 3992 upfc.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 3784 DllCommonsvc.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 3712 upfc.exe Token: SeDebugPrivilege 4460 upfc.exe Token: SeDebugPrivilege 4844 upfc.exe Token: SeDebugPrivilege 4768 upfc.exe Token: SeDebugPrivilege 4812 upfc.exe Token: SeDebugPrivilege 2032 upfc.exe Token: SeDebugPrivilege 3172 upfc.exe Token: SeDebugPrivilege 3148 upfc.exe Token: SeDebugPrivilege 1384 upfc.exe Token: SeDebugPrivilege 4016 upfc.exe Token: SeDebugPrivilege 4980 upfc.exe Token: SeDebugPrivilege 2608 upfc.exe Token: SeDebugPrivilege 2128 upfc.exe Token: SeDebugPrivilege 3992 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 676 wrote to memory of 3712 676 JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe 83 PID 676 wrote to memory of 3712 676 JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe 83 PID 676 wrote to memory of 3712 676 JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe 83 PID 3712 wrote to memory of 4912 3712 WScript.exe 84 PID 3712 wrote to memory of 4912 3712 WScript.exe 84 PID 3712 wrote to memory of 4912 3712 WScript.exe 84 PID 4912 wrote to memory of 3784 4912 cmd.exe 86 PID 4912 wrote to memory of 3784 4912 cmd.exe 86 PID 3784 wrote to memory of 2008 3784 DllCommonsvc.exe 104 PID 3784 wrote to memory of 2008 3784 DllCommonsvc.exe 104 PID 3784 wrote to memory of 2096 3784 DllCommonsvc.exe 105 PID 3784 wrote to memory of 2096 3784 DllCommonsvc.exe 105 PID 3784 wrote to memory of 2552 3784 DllCommonsvc.exe 106 PID 3784 wrote to memory of 2552 3784 DllCommonsvc.exe 106 PID 3784 wrote to memory of 4060 3784 DllCommonsvc.exe 107 PID 3784 wrote to memory of 4060 3784 DllCommonsvc.exe 107 PID 3784 wrote to memory of 4840 3784 DllCommonsvc.exe 108 PID 3784 wrote to memory of 4840 3784 DllCommonsvc.exe 108 PID 3784 wrote to memory of 3972 3784 DllCommonsvc.exe 109 PID 3784 wrote to memory of 3972 3784 DllCommonsvc.exe 109 PID 3784 wrote to memory of 1100 3784 DllCommonsvc.exe 115 PID 3784 wrote to memory of 1100 3784 DllCommonsvc.exe 115 PID 1100 wrote to memory of 1640 1100 cmd.exe 118 PID 1100 wrote to memory of 1640 1100 cmd.exe 118 PID 1100 wrote to memory of 3712 1100 cmd.exe 124 PID 1100 wrote to memory of 3712 1100 cmd.exe 124 PID 3712 wrote to memory of 4628 3712 upfc.exe 132 PID 3712 wrote to memory of 4628 3712 upfc.exe 132 PID 4628 wrote to memory of 1948 4628 cmd.exe 134 PID 4628 wrote to memory of 1948 4628 cmd.exe 134 PID 4628 wrote to memory of 4460 4628 cmd.exe 136 PID 4628 wrote to memory of 4460 4628 cmd.exe 136 PID 4460 wrote to memory of 3156 4460 upfc.exe 140 PID 4460 wrote to memory of 3156 4460 upfc.exe 140 PID 3156 wrote to memory of 2540 3156 cmd.exe 142 PID 3156 wrote to memory of 2540 3156 cmd.exe 142 PID 3156 wrote to memory of 4844 3156 cmd.exe 145 PID 3156 wrote to memory of 4844 3156 cmd.exe 145 PID 4844 wrote to memory of 2440 4844 upfc.exe 147 PID 4844 wrote to memory of 2440 4844 upfc.exe 147 PID 2440 wrote to memory of 2488 2440 cmd.exe 149 PID 2440 wrote to memory of 2488 2440 cmd.exe 149 PID 2440 wrote to memory of 4768 2440 cmd.exe 151 PID 2440 wrote to memory of 4768 2440 cmd.exe 151 PID 4768 wrote to memory of 4296 4768 upfc.exe 153 PID 4768 wrote to memory of 4296 4768 upfc.exe 153 PID 4296 wrote to memory of 1952 4296 cmd.exe 155 PID 4296 wrote to memory of 1952 4296 cmd.exe 155 PID 4296 wrote to memory of 4812 4296 cmd.exe 157 PID 4296 wrote to memory of 4812 4296 cmd.exe 157 PID 4812 wrote to memory of 1016 4812 upfc.exe 159 PID 4812 wrote to memory of 1016 4812 upfc.exe 159 PID 1016 wrote to memory of 2976 1016 cmd.exe 161 PID 1016 wrote to memory of 2976 1016 cmd.exe 161 PID 1016 wrote to memory of 2032 1016 cmd.exe 163 PID 1016 wrote to memory of 2032 1016 cmd.exe 163 PID 2032 wrote to memory of 2664 2032 upfc.exe 165 PID 2032 wrote to memory of 2664 2032 upfc.exe 165 PID 2664 wrote to memory of 4620 2664 cmd.exe 167 PID 2664 wrote to memory of 4620 2664 cmd.exe 167 PID 2664 wrote to memory of 3172 2664 cmd.exe 169 PID 2664 wrote to memory of 3172 2664 cmd.exe 169 PID 3172 wrote to memory of 2088 3172 upfc.exe 171 PID 3172 wrote to memory of 2088 3172 upfc.exe 171 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvqyh5QgiF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1640
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1948
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2540
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2488
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1952
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2976
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4620
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"19⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4696
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"21⤵PID:4816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3952
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"23⤵PID:5008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3252
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"25⤵PID:2216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2388
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"27⤵PID:8
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4528
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"29⤵PID:396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:3532
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"31⤵PID:1512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:4960
-
-
C:\Recovery\WindowsRE\upfc.exe"C:\Recovery\WindowsRE\upfc.exe"32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
195B
MD587ebd670ae2571eea04a640e11adc405
SHA10e401f8f84566f4719d3f2dd62a978bb7d896738
SHA256658a2caf2e3eebc83162dd8a63efdeac2ae27f1795890f7a7347d8c9582318fe
SHA512ef09446103aaa2c6f9a11b972af39e366126fd26bddaffd69f67255880c15ea6584ade4844b726b2356e3f4ce6c3f07d3d34290a11935dac026c0729441e5fe8
-
Filesize
195B
MD53c8404ce2a93f5e1658ca619e73b3bb8
SHA10622e5ceef0111436566e024a718e2f4c2d1e4d2
SHA256db9fe0c17b5b5ec5108f8ba65d4dd0baccfe87e1680a0779b9d1c2dcb029a86c
SHA512490347e43ea28bfcf7df7c1825a63068c76ec582d81555b5d16946abc25dd48bf2b89aa9c18545e61401c55d288843933df1dbf2a5b3a76875da6f7d4a097aaf
-
Filesize
195B
MD580a0ed50d3d843ebb673ed9875ad3acc
SHA1a5a39bd486ad56c676f79871ec640aa1d7c0a50e
SHA256950b3f7f49e691e653a3284225e967b6ec26f97f9e96ac1e73d7d005f258b517
SHA512cce5be29dfa6fba1597b567d80cbcd64552e933f7a75c654ed439984edcc252a87a280aba6c1ff95fa51d9706f2cf82f28e413a303cbb6b7c4e96582e74c3d4e
-
Filesize
195B
MD5d5856bba2719e8e6c010c0628c5e4a87
SHA1218f4659defe7c2cee96ac442a6b83d58e5e357e
SHA2565fbe24001853544faf87244c92f0558fd8f0b90093f4a20394309b202f323573
SHA5128fe789dc036d8a80efadd532b888aedbc9e9505e7bcef52f31ae6a7ea07b30e14f3bec2e63cb25ded39387c562dc718428839676857cc708458867f8ea5a20b1
-
Filesize
195B
MD5dc162715946a74ce7ab4ed7c526bcf20
SHA1377085a8084e15bbba6dba9ac6419556f15197e6
SHA2564d421fb05d431573db99637e908aeab349707c4b5a16b3aba15a127f5292cd39
SHA5124a3346ef442fa4c59f42e0f9e80eaf7fc31aa2afb81716806d62d3f091a7eeaa29cc7d4d3a22541e10b4375812dd2c587b052d549f8d256abf1f4b47e3f41307
-
Filesize
195B
MD5b85e03d728c7e7e0f542db37dfdf2b9d
SHA164714cb67475f0ba9df740c35430aa733932c62a
SHA256c684f005431e6be7d67fbdb9d45526c666b3600bae51434f6da630469cbcb7ac
SHA512f1324357a628ca1ac5c9ec393747ad3f1ba219455de5c48305e271ad3a252a6102f1fa7709a363b36e87408689ca1454869af5bce027bda5bce4881cf8f421bc
-
Filesize
195B
MD555bb8a9770b07b70c82462a1329870cd
SHA1d45145de165d4a2ad30b6ffa29850123ab5b809f
SHA25648886f6421fd2fd4ea3d8d0d79cc15126686d9d298b2957718be31181a99f9dc
SHA5126326f5648d93e7f175c7ab922bd5fd32efa65dc187c8d39c6f2fd52fef4feddfdf93ba69373392120b3d9579e7b529e924a8183c40b4e0d0e5ce386b34d33a39
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195B
MD527cea7042b6ef2ef7ba94d950cdb8dcc
SHA16052bd10761ccd908afe13f9315c782901044c76
SHA2563637de6a5ce8ff7e11e638eae3a06f4f753f11814a4f11e87fd269a95369bb9a
SHA512c0bb279e1d0d9318fb013cdae2a3406088d93fb1ba825699bb8ed33dbe7ebe7a9009f61dd40056af98e1fd85b88b8f70eaa63e5fdb0a3a41e27b6108fbf9a89a
-
Filesize
195B
MD5c4ddabd9d389867b897d6f82f9cb7dcc
SHA16c770eee86c8129993e142710e33550724050b75
SHA2565590e0e6e5664a190ffc9de3e8daf443bb00c197a09bb3aecff8501d65ea9ef9
SHA5124bac70e9b5c8d56198ee70d4d2d6b003940431f5f8633fce1655db2e70d36bab542b58970c97dc78c5992bfa18eabb7605cb2864e4fc21b9545ae6a2ac2c2665
-
Filesize
195B
MD547a0298008901a6fbc556fa055551ea9
SHA1c0d8ff117247bedf4bed111f0b09d6e07b3eac07
SHA2569b52f74a99efa0110543bf27dd35881d2ff9ce942261e5a9089798bcc1ab1a0c
SHA5129c46e88412e9a1370769665d9a99c5897d2c37c60b5cff5a7a1d3c329bd6f8d4f0afc833a9af11bd9642fe2578cbfd2354903d0d5ff24e18e2ceef0dcd762feb
-
Filesize
195B
MD595f7ac9fe500b734d584ca070362ed8d
SHA1bfa076c8a2b4ec077a6f9b660a4e3f09f13956e8
SHA25620c536abaa2f52d2831eb4f5552d5a0ebf16f8e4115138aa24563bbf8ee38fd6
SHA5122b2c9e6899167d236da1776ad386c1b95140ab9a893f9b1a109c96e69eda9643a35a5bbd09b5ae7bb1650a5cd0201aadfecf63191cd7440858e7f0d4b808ee50
-
Filesize
195B
MD5b036b83b24bd6c88c4420d3e57cc5c4f
SHA1049c4deda0459e2ae1b8f96e2b58c405ef9b0e80
SHA256e67843ab7f1a432be7e1c0a63672ac84773b657ec835346cfacc76f895dd8238
SHA51207abf9ffc9bd689b6e9a683636336a9ce7b5d4006012d20ff02c1d91bc8cc03a736ef0553733baaf3137c86adb18197085fa93c07c0b9975e24003cba3a1b793
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478