Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 18:16
Behavioral task
behavioral1
Sample
JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe
-
Size
1.3MB
-
MD5
d40139b905cf0ec11a2b5e4969e16d5f
-
SHA1
1a887bbc407efe7cccbe07598a3a67f20dbe29ff
-
SHA256
e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651
-
SHA512
ee798c7b6b86a8b51a420036daff14818fb855b50e47a2e1f5ac89ae835355c4ff8f2976e09c07665af2bdb87bec7614173a5d1a600269300cc0de8d5e851999
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 2088 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2088 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x0007000000023c79-10.dat dcrat behavioral2/memory/1372-13-0x0000000000D40000-0x0000000000E50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4916 powershell.exe 3468 powershell.exe 4172 powershell.exe 3792 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe -
Executes dropped EXE 13 IoCs
pid Process 1372 DllCommonsvc.exe 3016 DllCommonsvc.exe 556 DllCommonsvc.exe 3300 DllCommonsvc.exe 4968 DllCommonsvc.exe 4424 DllCommonsvc.exe 4684 DllCommonsvc.exe 4788 DllCommonsvc.exe 3240 DllCommonsvc.exe 4260 DllCommonsvc.exe 3024 DllCommonsvc.exe 1108 DllCommonsvc.exe 4056 DllCommonsvc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 42 raw.githubusercontent.com 46 raw.githubusercontent.com 48 raw.githubusercontent.com 47 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 27 raw.githubusercontent.com 41 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\addins\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\addins\5b884080fd4f94 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings DllCommonsvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3084 schtasks.exe 1844 schtasks.exe 2800 schtasks.exe 3128 schtasks.exe 4724 schtasks.exe 1708 schtasks.exe 2396 schtasks.exe 4972 schtasks.exe 3720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 1372 DllCommonsvc.exe 4172 powershell.exe 4916 powershell.exe 3792 powershell.exe 4172 powershell.exe 3468 powershell.exe 3792 powershell.exe 3468 powershell.exe 4916 powershell.exe 3016 DllCommonsvc.exe 556 DllCommonsvc.exe 3300 DllCommonsvc.exe 4968 DllCommonsvc.exe 4424 DllCommonsvc.exe 4684 DllCommonsvc.exe 4788 DllCommonsvc.exe 3240 DllCommonsvc.exe 4260 DllCommonsvc.exe 3024 DllCommonsvc.exe 1108 DllCommonsvc.exe 4056 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1372 DllCommonsvc.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 3016 DllCommonsvc.exe Token: SeDebugPrivilege 556 DllCommonsvc.exe Token: SeDebugPrivilege 3300 DllCommonsvc.exe Token: SeDebugPrivilege 4968 DllCommonsvc.exe Token: SeDebugPrivilege 4424 DllCommonsvc.exe Token: SeDebugPrivilege 4684 DllCommonsvc.exe Token: SeDebugPrivilege 4788 DllCommonsvc.exe Token: SeDebugPrivilege 3240 DllCommonsvc.exe Token: SeDebugPrivilege 4260 DllCommonsvc.exe Token: SeDebugPrivilege 3024 DllCommonsvc.exe Token: SeDebugPrivilege 1108 DllCommonsvc.exe Token: SeDebugPrivilege 4056 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2616 4900 JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe 85 PID 4900 wrote to memory of 2616 4900 JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe 85 PID 4900 wrote to memory of 2616 4900 JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe 85 PID 2616 wrote to memory of 368 2616 WScript.exe 87 PID 2616 wrote to memory of 368 2616 WScript.exe 87 PID 2616 wrote to memory of 368 2616 WScript.exe 87 PID 368 wrote to memory of 1372 368 cmd.exe 89 PID 368 wrote to memory of 1372 368 cmd.exe 89 PID 1372 wrote to memory of 3468 1372 DllCommonsvc.exe 101 PID 1372 wrote to memory of 3468 1372 DllCommonsvc.exe 101 PID 1372 wrote to memory of 4916 1372 DllCommonsvc.exe 102 PID 1372 wrote to memory of 4916 1372 DllCommonsvc.exe 102 PID 1372 wrote to memory of 3792 1372 DllCommonsvc.exe 103 PID 1372 wrote to memory of 3792 1372 DllCommonsvc.exe 103 PID 1372 wrote to memory of 4172 1372 DllCommonsvc.exe 104 PID 1372 wrote to memory of 4172 1372 DllCommonsvc.exe 104 PID 1372 wrote to memory of 2612 1372 DllCommonsvc.exe 109 PID 1372 wrote to memory of 2612 1372 DllCommonsvc.exe 109 PID 2612 wrote to memory of 1256 2612 cmd.exe 111 PID 2612 wrote to memory of 1256 2612 cmd.exe 111 PID 2612 wrote to memory of 3016 2612 cmd.exe 113 PID 2612 wrote to memory of 3016 2612 cmd.exe 113 PID 3016 wrote to memory of 3732 3016 DllCommonsvc.exe 120 PID 3016 wrote to memory of 3732 3016 DllCommonsvc.exe 120 PID 3732 wrote to memory of 1456 3732 cmd.exe 122 PID 3732 wrote to memory of 1456 3732 cmd.exe 122 PID 3732 wrote to memory of 556 3732 cmd.exe 130 PID 3732 wrote to memory of 556 3732 cmd.exe 130 PID 556 wrote to memory of 2236 556 DllCommonsvc.exe 132 PID 556 wrote to memory of 2236 556 DllCommonsvc.exe 132 PID 2236 wrote to memory of 4324 2236 cmd.exe 134 PID 2236 wrote to memory of 4324 2236 cmd.exe 134 PID 2236 wrote to memory of 3300 2236 cmd.exe 136 PID 2236 wrote to memory of 3300 2236 cmd.exe 136 PID 3300 wrote to memory of 2820 3300 DllCommonsvc.exe 140 PID 3300 wrote to memory of 2820 3300 DllCommonsvc.exe 140 PID 2820 wrote to memory of 3892 2820 cmd.exe 142 PID 2820 wrote to memory of 3892 2820 cmd.exe 142 PID 2820 wrote to memory of 4968 2820 cmd.exe 145 PID 2820 wrote to memory of 4968 2820 cmd.exe 145 PID 4968 wrote to memory of 3784 4968 DllCommonsvc.exe 147 PID 4968 wrote to memory of 3784 4968 DllCommonsvc.exe 147 PID 3784 wrote to memory of 2480 3784 cmd.exe 149 PID 3784 wrote to memory of 2480 3784 cmd.exe 149 PID 3784 wrote to memory of 4424 3784 cmd.exe 151 PID 3784 wrote to memory of 4424 3784 cmd.exe 151 PID 4424 wrote to memory of 4680 4424 DllCommonsvc.exe 153 PID 4424 wrote to memory of 4680 4424 DllCommonsvc.exe 153 PID 4680 wrote to memory of 4008 4680 cmd.exe 155 PID 4680 wrote to memory of 4008 4680 cmd.exe 155 PID 4680 wrote to memory of 4684 4680 cmd.exe 157 PID 4680 wrote to memory of 4684 4680 cmd.exe 157 PID 4684 wrote to memory of 1660 4684 DllCommonsvc.exe 160 PID 4684 wrote to memory of 1660 4684 DllCommonsvc.exe 160 PID 1660 wrote to memory of 2240 1660 cmd.exe 162 PID 1660 wrote to memory of 2240 1660 cmd.exe 162 PID 1660 wrote to memory of 4788 1660 cmd.exe 164 PID 1660 wrote to memory of 4788 1660 cmd.exe 164 PID 4788 wrote to memory of 4548 4788 DllCommonsvc.exe 166 PID 4788 wrote to memory of 4548 4788 DllCommonsvc.exe 166 PID 4548 wrote to memory of 3472 4548 cmd.exe 168 PID 4548 wrote to memory of 3472 4548 cmd.exe 168 PID 4548 wrote to memory of 3240 4548 cmd.exe 170 PID 4548 wrote to memory of 3240 4548 cmd.exe 170 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e185ece2d9fff8f8e11b23e595307f5409b359e4d91438d240afed6af17da651.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fn6r3s7Cpa.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1256
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1456
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4324
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3892
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2480
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4008
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2240
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3472
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"21⤵PID:4020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2948
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"23⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2364
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"25⤵PID:768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5080
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"27⤵PID:3552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4912
-
-
C:\Recovery\WindowsRE\DllCommonsvc.exe"C:\Recovery\WindowsRE\DllCommonsvc.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"29⤵PID:2720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
203B
MD5275116043e5c70f3bee0a1fa8c7fb75d
SHA1319b94c96b2953b9a6f41e07e48d34e672804f73
SHA2561ca10611127323cea1ca887e9a271cc221112640887ea7c8b66e01c52ab54027
SHA51231492caf98e97cbaa66fe0fb9744c4142c78bb586efba2f0d12795915a687095751bb86f5c1dcdfddba0bc5fdff560977f25c36e97b5eb040370114b7b74b8e0
-
Filesize
203B
MD57d5713e7faa7234db3ec888edb5d67a7
SHA173e341e16674db3378876d060b5b1a486af2a0ba
SHA2560ceb78663532390abf286e4ec18fa4d7ef68b06c1e85ce4def18058dcac0564b
SHA512b117ddd7d81f752a877770e353f560b5aa7f14f2008ae0d1603fe68ba57ed4df0b77102e30ffa42fc89e6948689b7f60357e8ae78b67b50d4a11f27590d2cd6d
-
Filesize
203B
MD5a1b4b7da107cc98dfc9f38a449508131
SHA19a1cb76a45a2ad9cee918a352609dc29432847f1
SHA256231956c1668190d535b30af334a281a8bd763734c5330d8031e1908638ca2944
SHA512a7d16df269b3acf8350c5bb609c1a5e272d9519d813486733c4165d195e81d777539d828fb45b2a5d005c43895b5e294a7554e2a03879f60f7a15ef964113fac
-
Filesize
203B
MD527e9c5630e6ac61359f096ff08dd41ac
SHA13b90ce1c5ed7d126ba64d7254accdd7c9bd40832
SHA2565df44830053cedc6b6dfa6bb710b606fcad4c114883c8b73bbe8fbba5d3b6995
SHA5129f20a46047dacf7b5ac6779b5eae18ab587063bfcd55dfe06655d67f47f34a4db223c926cc209b94911aa0f2d21c3af899d7017d7794c5d4e0c82ba550906403
-
Filesize
203B
MD56ef025ce7e54492caf1ffd1a167b824b
SHA11dde82e46e119400c927f5c66413ba91d0857677
SHA256a83e032b71e3370909707dfddf03ffdd3ef63dc5ba450d62f5ea44148cd92ea1
SHA51250199aa1c2944fecd62b273aa12be7ec0e0c9e7e03501efc52cabb014c76377b5425292916d26b95e5e5b47f7f23157c0db3338818a0d4dea82db9238fa0cf05
-
Filesize
203B
MD5c5a7f66826f0b19584e6154f88fc69f0
SHA17756bd40c89c65921fd9370df0c08e0a236ff305
SHA25689a6eb526dca9b77ad9e219668e1237dfdf0c9ef032e43fbd63ba0487a2a388f
SHA512362c0c2c31b9b53d4cfd7db54fb350f71f4a57890f09a8dcacc5f455d1f610f7205f734fc83ea6626a8d8935405a7190f949abfc054095088affe72b5b300c06
-
Filesize
203B
MD55a10a0651ab8c00157e2c7c3c21c2791
SHA152ffaf415585cc982f8ad94a268d7fe43aefabe2
SHA25610be3a48c321dce858c684383aa39433f5b9ae8985bb21c563890dfa2b897da2
SHA5122ddcd5165866026c3221c33f2103f802c59b3a67cab85e819359d177bb351991968a8a14525897c8615079d494bd80adc56f27f8288360dcb493e428ff3336c8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
203B
MD54786e17674bdde71af78c637f44049f4
SHA126537a58a51535cac95504c32d830db30d323440
SHA25646f7dd9e25590e700ab4f2520aff20bf030baac8ac28969d65eb91b4d2c64777
SHA512b10cfcfedca6ca0fa147ba16f0c901f1e135d97849bd7c2f1e81642fa4c4cd346bbe6adc36e5e8338bdb66306f6ac71a93e620e22459c9d592c2ece0023ed7f6
-
Filesize
203B
MD5bb21bef4b303be4694f3632c00cdf34f
SHA177b5101b4aa2f2ade0797b843d07f643701c31af
SHA256febe1d0a0e59795d78b1ab1153132534f4d455d157c72e0aba8ec02fbfed2c7b
SHA512641fe60db269204de461953dd4117b501d4594697f22fcc021a77398c7e8f492009b37ef04b164c2f9dd2d61f511f8f45b143d4f3472add097508ed6f4905fd0
-
Filesize
203B
MD5d1c278301c847f774cac11dbda72b86e
SHA1086374df12ac364825721b3118704a2e89db973d
SHA256047d10a0d722b24d2e613f7aea113247fe497e49554acddf1bc6f4c8d10987ec
SHA51274b71cc2371745a679b4f9efb747b37254511e73a1ad0a44fbb65b2f0af9af94ed02ddbf7c486b8f5686ddb3bd1a1d3e418c840701e6cbc0957828459dd4a4ef
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478