Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:51
Behavioral task
behavioral1
Sample
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
-
Size
1.3MB
-
MD5
b0e7be27280e7a6e75df7c8590b35067
-
SHA1
e1331032a6911e4257c59a22850181bcaeb17a58
-
SHA256
375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923
-
SHA512
1bdc408beb993c93f582d26a240f18f01c73632c922bca902d59eef40f84836e4ed06cbc44faf69d7dd6ec5b849fff7903c7327f4a3a264b4020e40c47c3327d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 1740 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 1740 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c93-9.dat dcrat behavioral2/memory/5084-13-0x0000000000140000-0x0000000000250000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1844 powershell.exe 4528 powershell.exe 3836 powershell.exe 372 powershell.exe 4060 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 13 IoCs
pid Process 5084 DllCommonsvc.exe 3580 conhost.exe 4236 conhost.exe 2700 conhost.exe 1008 conhost.exe 2860 conhost.exe 2176 conhost.exe 1144 conhost.exe 1904 conhost.exe 2928 conhost.exe 4244 conhost.exe 4856 conhost.exe 920 conhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 21 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 43 raw.githubusercontent.com 47 raw.githubusercontent.com 50 raw.githubusercontent.com 17 raw.githubusercontent.com 37 raw.githubusercontent.com 42 raw.githubusercontent.com 49 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\L2Schemas\dllhost.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\5940a34987c991 DllCommonsvc.exe File created C:\Windows\ImmersiveControlPanel\conhost.exe DllCommonsvc.exe File created C:\Windows\ImmersiveControlPanel\088424020bedd6 DllCommonsvc.exe File created C:\Windows\L2Schemas\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3960 schtasks.exe 1724 schtasks.exe 2872 schtasks.exe 4760 schtasks.exe 1276 schtasks.exe 4244 schtasks.exe 2696 schtasks.exe 3164 schtasks.exe 3760 schtasks.exe 684 schtasks.exe 4756 schtasks.exe 3904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5084 DllCommonsvc.exe 4528 powershell.exe 3836 powershell.exe 372 powershell.exe 4060 powershell.exe 1844 powershell.exe 1844 powershell.exe 4528 powershell.exe 4060 powershell.exe 372 powershell.exe 3836 powershell.exe 3580 conhost.exe 4236 conhost.exe 2700 conhost.exe 1008 conhost.exe 2860 conhost.exe 2176 conhost.exe 1144 conhost.exe 1904 conhost.exe 2928 conhost.exe 4244 conhost.exe 4856 conhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 5084 DllCommonsvc.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 3580 conhost.exe Token: SeDebugPrivilege 4236 conhost.exe Token: SeDebugPrivilege 2700 conhost.exe Token: SeDebugPrivilege 1008 conhost.exe Token: SeDebugPrivilege 2860 conhost.exe Token: SeDebugPrivilege 2176 conhost.exe Token: SeDebugPrivilege 1144 conhost.exe Token: SeDebugPrivilege 1904 conhost.exe Token: SeDebugPrivilege 2928 conhost.exe Token: SeDebugPrivilege 4244 conhost.exe Token: SeDebugPrivilege 4856 conhost.exe Token: SeDebugPrivilege 920 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 396 2324 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 83 PID 2324 wrote to memory of 396 2324 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 83 PID 2324 wrote to memory of 396 2324 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 83 PID 396 wrote to memory of 3376 396 WScript.exe 85 PID 396 wrote to memory of 3376 396 WScript.exe 85 PID 396 wrote to memory of 3376 396 WScript.exe 85 PID 3376 wrote to memory of 5084 3376 cmd.exe 87 PID 3376 wrote to memory of 5084 3376 cmd.exe 87 PID 5084 wrote to memory of 1844 5084 DllCommonsvc.exe 102 PID 5084 wrote to memory of 1844 5084 DllCommonsvc.exe 102 PID 5084 wrote to memory of 4528 5084 DllCommonsvc.exe 103 PID 5084 wrote to memory of 4528 5084 DllCommonsvc.exe 103 PID 5084 wrote to memory of 3836 5084 DllCommonsvc.exe 104 PID 5084 wrote to memory of 3836 5084 DllCommonsvc.exe 104 PID 5084 wrote to memory of 372 5084 DllCommonsvc.exe 105 PID 5084 wrote to memory of 372 5084 DllCommonsvc.exe 105 PID 5084 wrote to memory of 4060 5084 DllCommonsvc.exe 106 PID 5084 wrote to memory of 4060 5084 DllCommonsvc.exe 106 PID 5084 wrote to memory of 4636 5084 DllCommonsvc.exe 112 PID 5084 wrote to memory of 4636 5084 DllCommonsvc.exe 112 PID 4636 wrote to memory of 4252 4636 cmd.exe 114 PID 4636 wrote to memory of 4252 4636 cmd.exe 114 PID 4636 wrote to memory of 3580 4636 cmd.exe 121 PID 4636 wrote to memory of 3580 4636 cmd.exe 121 PID 3580 wrote to memory of 684 3580 conhost.exe 128 PID 3580 wrote to memory of 684 3580 conhost.exe 128 PID 684 wrote to memory of 2696 684 cmd.exe 130 PID 684 wrote to memory of 2696 684 cmd.exe 130 PID 684 wrote to memory of 4236 684 cmd.exe 132 PID 684 wrote to memory of 4236 684 cmd.exe 132 PID 4236 wrote to memory of 3772 4236 conhost.exe 137 PID 4236 wrote to memory of 3772 4236 conhost.exe 137 PID 3772 wrote to memory of 2472 3772 cmd.exe 139 PID 3772 wrote to memory of 2472 3772 cmd.exe 139 PID 3772 wrote to memory of 2700 3772 cmd.exe 141 PID 3772 wrote to memory of 2700 3772 cmd.exe 141 PID 2700 wrote to memory of 2704 2700 conhost.exe 143 PID 2700 wrote to memory of 2704 2700 conhost.exe 143 PID 2704 wrote to memory of 4076 2704 cmd.exe 145 PID 2704 wrote to memory of 4076 2704 cmd.exe 145 PID 2704 wrote to memory of 1008 2704 cmd.exe 147 PID 2704 wrote to memory of 1008 2704 cmd.exe 147 PID 1008 wrote to memory of 3592 1008 conhost.exe 149 PID 1008 wrote to memory of 3592 1008 conhost.exe 149 PID 3592 wrote to memory of 4848 3592 cmd.exe 151 PID 3592 wrote to memory of 4848 3592 cmd.exe 151 PID 3592 wrote to memory of 2860 3592 cmd.exe 153 PID 3592 wrote to memory of 2860 3592 cmd.exe 153 PID 2860 wrote to memory of 2692 2860 conhost.exe 155 PID 2860 wrote to memory of 2692 2860 conhost.exe 155 PID 2692 wrote to memory of 3580 2692 cmd.exe 157 PID 2692 wrote to memory of 3580 2692 cmd.exe 157 PID 2692 wrote to memory of 2176 2692 cmd.exe 159 PID 2692 wrote to memory of 2176 2692 cmd.exe 159 PID 2176 wrote to memory of 4088 2176 conhost.exe 161 PID 2176 wrote to memory of 4088 2176 conhost.exe 161 PID 4088 wrote to memory of 1980 4088 cmd.exe 163 PID 4088 wrote to memory of 1980 4088 cmd.exe 163 PID 4088 wrote to memory of 1144 4088 cmd.exe 165 PID 4088 wrote to memory of 1144 4088 cmd.exe 165 PID 1144 wrote to memory of 4052 1144 conhost.exe 167 PID 1144 wrote to memory of 4052 1144 conhost.exe 167 PID 4052 wrote to memory of 4952 4052 cmd.exe 169 PID 4052 wrote to memory of 4952 4052 cmd.exe 169 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RoC84loMkT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4252
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2696
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2472
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4076
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4848
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3580
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1980
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4952
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"21⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4080
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"23⤵PID:1480
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4848
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"25⤵PID:3908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:4760
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"27⤵PID:1104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:404
-
-
C:\Windows\ImmersiveControlPanel\conhost.exe"C:\Windows\ImmersiveControlPanel\conhost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
209B
MD5ccef91a587de848baa885f3e518d7108
SHA11d9bb571f3613f9b19965f62d8f81e1fb6203694
SHA2564eea67c9645585b0fc1a0e76b40f70abd6775f9d6b75047e8d0b92378560cffd
SHA5123cadbc637478ef32a58fd8e8e5d1bfa636aa43569bd95e011451457fe01598ad2be437edb981dd2a4b60abd8bd790ad1b6d72e76b54bb5552b5cdfe0571a3aab
-
Filesize
209B
MD5b76f89b2b1a1f20db80f4a6bf8a6181c
SHA11add334d33edce5b1e6b98a649917f87ef5a4c63
SHA256e4574c4583ce894f3a4f27e9a540a4347d49ac9a5e32e1d883a74234f4c193ca
SHA5120d81f5c6b16896265e779cf9c3aa491deb9a564ba292d84ce7d7b35adcc04fc3d65dc3ac573fc448691f7ac088ce8b655ef1f97516b727ce0c2ceceb41775c3b
-
Filesize
209B
MD5053ba1560a2ff6c53be0a3e1bac3d804
SHA1bc839b9105729f3ffde8c1aaf6ba939538ac640a
SHA2563aa5c67aa33214a03e6c0f37dc03f6b0eafd78ab7e18e6ee649d3b113b546322
SHA51261490f5fe9dbc8dd9edf4a7e5ed23bbf41d1034c5d681f1533a94a3ea067b4c0d3b8e916784ad51728c903c599f86ab36873d49fb428e0b732df99fc04cc5bc9
-
Filesize
209B
MD5032c7f25664db67d3af6df5d090bd697
SHA19c6e078fda983effa549d7f9fec0c9104f0889e5
SHA25696dd12c9293dade842ee9ff14b9fdbb4a3bda5d5c850700ea2799c0a061cad46
SHA51269799c70c344e407eb6f54340c8a6444030a3f6da3c4ddb599e7cb09e6a550f7d24a491fa227b504ca617db96c6b0da310222984cdd5fddb679cb0fa5fea08d9
-
Filesize
209B
MD5288adf9b0c0049e2a4d84ad06b94e972
SHA1a4873c834475411333bbe5f7195a349e6f1a402b
SHA2561a60f39b7121d65ef31efe59d91e43ddb57fd266aa611fe0836ae54fffde9b47
SHA51269496fa94506b384b4b8b7326402b61c4ed706652e4f83d5be0c333c795c11cfd05558db1df2f97051c1a066ff2980a0498575d999a9fe6ab48bc21491b0a881
-
Filesize
209B
MD57e9c29b11e79ea4aefb7ff8d103f89c2
SHA1d88a65cb8d8611b6d6b52edfcd8180580e214ddd
SHA25630b6bc7bdc96a68e6803d30a438bdeb883cfe76d830bde6de73870d009c99304
SHA51261d47891ea585386daa71c0cb7e641d51316032b5c462bd0310e01f0fa15a6ac99be217aa9df7f14e924f52d99d11e6710b938367b45a541943c2c43294eb9f2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
209B
MD525f8b0d6411f46137646358e4632dad5
SHA1a120dd562ceb3cc56769ce0eab8f79c79ec04a6f
SHA256c229d05f14dd6002bdca36da87d3f914ca168dc672462f3bc7824ba290342a28
SHA51282b9cce1a045552292dfad14c4e250738bf373ba25610c9431dfbb15e889df2eadd3dcde64199aa9b85dd6f7bf9137d9c13beba9ca2962cd3f6f787c98c7b411
-
Filesize
209B
MD5ec364c98613e208de731294e7fea0cee
SHA16b20cf6a4165c0c7ae31db39056d4cea4830d6b7
SHA256a1fe0a50c9e77c573b73f9775d760df28f77858d3964b781952a0d2cc87cbb64
SHA5121f605a73f444c431f3e06cfecf176bfd7d1800b337d7e390a7527e14485a7231080e5afc7901209f15723f5beab89689cbb2cd7a028d0b3b0d450ce5e03ab5d9
-
Filesize
209B
MD5cb307687356d5e002c0a077b2eaf1e4f
SHA1ff44f0622c2430951bc1c1f50ce32ac6518d0075
SHA256c6e50ae175596933de88eef573da73fd4f51a98615794cd402edc67df25be0c7
SHA512ae8e77d4a34801163ddd464fa1d758ed47cffb16e27ce0f239dcd8fa448286bae796681dc0b9dabfd743916ec57f2ba8544b61b442b8f1f4e3bcdd31f7390d99
-
Filesize
209B
MD5d9d47688a3fe603d18c58813a963cc9a
SHA11c1c75b34e747eab1c64d1b59f43248e2aaa7667
SHA256b5e3b455a3182af300a9b815cd03c00b753061714590e2af3dcc735eef137023
SHA5127e32105167bab922f1752805e166620fc0b4c719010ccee2f4d6439f1c4b6e7ec9e9efd08b4129e1173fafb05df75cb8f4645b44cb221890cc6d2bf64834a23e
-
Filesize
209B
MD57652070c303de18f689f86f52229e22a
SHA166184ac2c29c244c36cdaa1506d33345e5df5753
SHA25649f16adb844f7aab5cff5935bc839a413590e437ea018dfe355f6497f8b45cd0
SHA5122a918b36797354169e3827c415054cd3f56d517f1958c14ca38a772c98a965c992e08456b50b7ad991fcc50a758f49cfa5133454f5433ea71415396984c8c01c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478