Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 11:03
Behavioral task
behavioral1
Sample
JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
-
Size
1.3MB
-
MD5
27ae919b3be2d7828dfd0c8b33360306
-
SHA1
a83ac006784190638f718f27ea6cb9763c67fdef
-
SHA256
c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212
-
SHA512
94c1f8ef256c811bd4049592c347becc709f339fad0ddb947c2460b3e1595479855c039b91b48f90d3559c527e504887a56e8d4ed0c3b2b9c3195754dee774c7
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 3520 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 3520 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b80-10.dat dcrat behavioral2/memory/1968-13-0x0000000000860000-0x0000000000970000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2624 powershell.exe 4316 powershell.exe 4388 powershell.exe 1668 powershell.exe 1608 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 13 IoCs
pid Process 1968 DllCommonsvc.exe 1880 upfc.exe 2576 upfc.exe 320 upfc.exe 1864 upfc.exe 4224 upfc.exe 4264 upfc.exe 3968 upfc.exe 4144 upfc.exe 2940 upfc.exe 3960 upfc.exe 2772 upfc.exe 3892 upfc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 22 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 23 raw.githubusercontent.com 25 raw.githubusercontent.com 39 raw.githubusercontent.com 45 raw.githubusercontent.com 50 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\RuntimeBroker.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Google\Update\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\38384e6a620884 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings upfc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 784 schtasks.exe 1368 schtasks.exe 2464 schtasks.exe 1736 schtasks.exe 872 schtasks.exe 3924 schtasks.exe 3656 schtasks.exe 3488 schtasks.exe 1552 schtasks.exe 3668 schtasks.exe 2952 schtasks.exe 1844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1968 DllCommonsvc.exe 1968 DllCommonsvc.exe 1968 DllCommonsvc.exe 4316 powershell.exe 1668 powershell.exe 4316 powershell.exe 4388 powershell.exe 1608 powershell.exe 2624 powershell.exe 4388 powershell.exe 1608 powershell.exe 1668 powershell.exe 2624 powershell.exe 1880 upfc.exe 2576 upfc.exe 320 upfc.exe 1864 upfc.exe 4224 upfc.exe 4264 upfc.exe 3968 upfc.exe 4144 upfc.exe 2940 upfc.exe 3960 upfc.exe 2772 upfc.exe 3892 upfc.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1968 DllCommonsvc.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 1880 upfc.exe Token: SeDebugPrivilege 2576 upfc.exe Token: SeDebugPrivilege 320 upfc.exe Token: SeDebugPrivilege 1864 upfc.exe Token: SeDebugPrivilege 4224 upfc.exe Token: SeDebugPrivilege 4264 upfc.exe Token: SeDebugPrivilege 3968 upfc.exe Token: SeDebugPrivilege 4144 upfc.exe Token: SeDebugPrivilege 2940 upfc.exe Token: SeDebugPrivilege 3960 upfc.exe Token: SeDebugPrivilege 2772 upfc.exe Token: SeDebugPrivilege 3892 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4520 2872 JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe 82 PID 2872 wrote to memory of 4520 2872 JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe 82 PID 2872 wrote to memory of 4520 2872 JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe 82 PID 4520 wrote to memory of 2240 4520 WScript.exe 87 PID 4520 wrote to memory of 2240 4520 WScript.exe 87 PID 4520 wrote to memory of 2240 4520 WScript.exe 87 PID 2240 wrote to memory of 1968 2240 cmd.exe 89 PID 2240 wrote to memory of 1968 2240 cmd.exe 89 PID 1968 wrote to memory of 2624 1968 DllCommonsvc.exe 102 PID 1968 wrote to memory of 2624 1968 DllCommonsvc.exe 102 PID 1968 wrote to memory of 1608 1968 DllCommonsvc.exe 103 PID 1968 wrote to memory of 1608 1968 DllCommonsvc.exe 103 PID 1968 wrote to memory of 1668 1968 DllCommonsvc.exe 104 PID 1968 wrote to memory of 1668 1968 DllCommonsvc.exe 104 PID 1968 wrote to memory of 4388 1968 DllCommonsvc.exe 105 PID 1968 wrote to memory of 4388 1968 DllCommonsvc.exe 105 PID 1968 wrote to memory of 4316 1968 DllCommonsvc.exe 106 PID 1968 wrote to memory of 4316 1968 DllCommonsvc.exe 106 PID 1968 wrote to memory of 2196 1968 DllCommonsvc.exe 112 PID 1968 wrote to memory of 2196 1968 DllCommonsvc.exe 112 PID 2196 wrote to memory of 4124 2196 cmd.exe 114 PID 2196 wrote to memory of 4124 2196 cmd.exe 114 PID 2196 wrote to memory of 1880 2196 cmd.exe 118 PID 2196 wrote to memory of 1880 2196 cmd.exe 118 PID 1880 wrote to memory of 4728 1880 upfc.exe 119 PID 1880 wrote to memory of 4728 1880 upfc.exe 119 PID 4728 wrote to memory of 3728 4728 cmd.exe 121 PID 4728 wrote to memory of 3728 4728 cmd.exe 121 PID 4728 wrote to memory of 2576 4728 cmd.exe 122 PID 4728 wrote to memory of 2576 4728 cmd.exe 122 PID 2576 wrote to memory of 3088 2576 upfc.exe 123 PID 2576 wrote to memory of 3088 2576 upfc.exe 123 PID 3088 wrote to memory of 1844 3088 cmd.exe 125 PID 3088 wrote to memory of 1844 3088 cmd.exe 125 PID 3088 wrote to memory of 320 3088 cmd.exe 127 PID 3088 wrote to memory of 320 3088 cmd.exe 127 PID 320 wrote to memory of 5028 320 upfc.exe 129 PID 320 wrote to memory of 5028 320 upfc.exe 129 PID 5028 wrote to memory of 1192 5028 cmd.exe 131 PID 5028 wrote to memory of 1192 5028 cmd.exe 131 PID 5028 wrote to memory of 1864 5028 cmd.exe 132 PID 5028 wrote to memory of 1864 5028 cmd.exe 132 PID 1864 wrote to memory of 3332 1864 upfc.exe 133 PID 1864 wrote to memory of 3332 1864 upfc.exe 133 PID 3332 wrote to memory of 2428 3332 cmd.exe 135 PID 3332 wrote to memory of 2428 3332 cmd.exe 135 PID 3332 wrote to memory of 4224 3332 cmd.exe 136 PID 3332 wrote to memory of 4224 3332 cmd.exe 136 PID 4224 wrote to memory of 1756 4224 upfc.exe 137 PID 4224 wrote to memory of 1756 4224 upfc.exe 137 PID 1756 wrote to memory of 4456 1756 cmd.exe 139 PID 1756 wrote to memory of 4456 1756 cmd.exe 139 PID 1756 wrote to memory of 4264 1756 cmd.exe 140 PID 1756 wrote to memory of 4264 1756 cmd.exe 140 PID 4264 wrote to memory of 4084 4264 upfc.exe 141 PID 4264 wrote to memory of 4084 4264 upfc.exe 141 PID 4084 wrote to memory of 2024 4084 cmd.exe 143 PID 4084 wrote to memory of 2024 4084 cmd.exe 143 PID 4084 wrote to memory of 3968 4084 cmd.exe 144 PID 4084 wrote to memory of 3968 4084 cmd.exe 144 PID 3968 wrote to memory of 3916 3968 upfc.exe 145 PID 3968 wrote to memory of 3916 3968 upfc.exe 145 PID 3916 wrote to memory of 1632 3916 cmd.exe 147 PID 3916 wrote to memory of 1632 3916 cmd.exe 147 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4124
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3728
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1844
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1192
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2428
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4456
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2024
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1632
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"21⤵PID:872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3804
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"23⤵PID:784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4328
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"25⤵PID:4576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2016
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"27⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1088
-
-
C:\providercommon\upfc.exe"C:\providercommon\upfc.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
191B
MD50890ddf296a0f34bd783d107ab36727e
SHA1220f70e2167f2e62398c40d8404b017e200fa6e3
SHA256276d46ecabac7f83b5d8dc097b4e72e6cdd52160c2f76986d6322ad412997bd2
SHA512ae98047cba27b432676a9f2c17055c3a5369454b12bcbd0a6cbbb872c19f0c0a00db649d412bb1813eff28c74c0013f8e99795edeef4ebe970a10c96f6df3a69
-
Filesize
191B
MD5c6a581d3e6545137c13ff5f11ebf088f
SHA1ec3df16c6895e2f5ef2d29dbab6a1bc8cbc220c2
SHA2566457f18669359d7cde3a9baef439897d3d5a527de7aea66177e5839e168c8122
SHA51255ae14b7d97df422c60490ac052b6be12d626b7d8b825d9ae76846607b69dc366572fd29d2d1a14b88cd46ca327cce94cca45125ce8820eb0f53985ac2c777a4
-
Filesize
191B
MD548f64da288c4649cc0b2544a7ffc4de4
SHA1cbaf4e2c059d4f428be4d5b930608e205a262667
SHA256d5922642a54dea33aee8b8c08232d0d5ad3e820da2979a342edb33d10b4e8b6a
SHA512484cdfd1e7c055089bd44b82312ea11c703c23cf311a29028ba335accc66f5022438fdd21c173d26ebb5ce6689f729bb8975c9965766cd7e909b4a59b2e12cf9
-
Filesize
191B
MD58d1911f81801c26f82a2699918ce7561
SHA1cae1de014b7896ee3562576df7131a2db3b456b8
SHA256ff01b5b83416897fdc41f87d49d5373180b900ac99c5500691c2363a1fac5830
SHA512873e2de595c76f76243a842eb9ce5045bcb7808ae3bb141efd46ccd379a97780e0710a974ecf3d741eeda9f3067de1a5bb85fcfa080d256d74909e0ea322af4d
-
Filesize
191B
MD5c387d8457e5ad387e959f14611719721
SHA104214866d4698534f3fceffcdce8a6b32397edac
SHA2560a590c5daa9231f94408b1bd3401da014672e1014de59b3b3762065a5f4ce1d7
SHA5126a98947cf25d0f1aeba33e73445a6cd984629673d33bde3f79bba47a0527613e8e8c27c9af85570b27b62bb25e93cadaa53b2cb2ac2cd1a9e62c525ff8cf7d61
-
Filesize
191B
MD51788742ec7ae0da834a9717355c22445
SHA10ab8acf8d0c504fe678a2e91e10470d258c1180a
SHA2561002ec04f4085d0d2d7b6272fb36995f9b3ec672747c5751cbafcb64be05a362
SHA512df721a61b8776f04d789e2941df261d906532b4ce8a677213aa8ed7d0a5f32f42e2a01aaaa763027583f4aa90e627aa6a0c2dcb8cbbb671095c448fff6eb3c2a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
191B
MD5bdbea8ee95706f8120200ff42fa34b84
SHA1b272b901dee5711b17dc49abee1a6d2beb3f1b8d
SHA256165d3d63fbb1d700b435418d5fc993a5985aee45fe2e7958c5013ca201e82ca8
SHA512cb57fac1bf8f643dd90ab7e4710ede763b7a25dd3e1e48b374a6d356b67d47144d3ccf07f5f1be54ebc32d813b85dc88454c1d6e857ecbcfb2ece64148f92938
-
Filesize
191B
MD5ed43f691f806affc7cf08245868e9afa
SHA16f3ed498bf8cf6d9ffb121df31007d95d020a3cf
SHA256090cc6f94e14c4973686dd5519014cc17acd12daada2ef885e27e9d638190907
SHA51220cd0839c3aae40a43b89198cc567e4a951a036613d0b0533b4b7629d4d4ac2a005583aa909b90240d87c315b61bb738bd3472529915db6050203c5714ae6ba2
-
Filesize
191B
MD55a6f38411320a14bf3a52a9fdd62c444
SHA17fabe02c272697542ce23a04c4b9c6e19ca80597
SHA256620df4355f041836eec48481d80386607fbf7e4f2bd11802db8c8884e4fbd7dd
SHA512db2fcaa9c684ac5800c68680a8b088a2145862ffc7565f79474055cde516945ffafa3a94c1c48b210701c80878b00e1e4cfcd41604892697a7edd80d788ebe73
-
Filesize
191B
MD5763f088ecd13bede9c8a227d6b112f48
SHA138278f8a254fe0897f4569dca21512c5180679ac
SHA25647cbab9f768acab9227b2bd23725234da5b57157c20a23a5f0f1aed171030a80
SHA51295765a46df192c5b35b2e035355d1d109b3c6f87060e2c407750f890e2a12ca0997e68eff0bc6683f6349b49a049166843a32fbb0d613fc306143c5e478ba051
-
Filesize
191B
MD587c71baa55bf61fa7d82a78ac5fe6d35
SHA1b5f9d4eabe0cdd7f0884cb7b7762bdb85732b141
SHA256a630e2b24df3ef236187ac6fdde6e00e6f2447951bff435dc7a07be8903f710c
SHA5123677a3e7ffeec7d432a9043a7f89b188133ce83f8039365827301142454c08f90fd1e6ddba634109cecf299063cb6ea27395b8155e4a5c6c23c5b266dc6a390a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478