Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:01
Behavioral task
behavioral1
Sample
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
-
Size
1.3MB
-
MD5
8d758308ba356cd4992ecfdd50db9774
-
SHA1
bd07292d17333584c99654a584fae2420f589ed0
-
SHA256
b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2
-
SHA512
8ffe7d228ee170dd2b9203bd68cd3ceca415a2eb638977f0269df5f3d4c5c46e1b89b3ed203a5ecb6b1bc22a7246268b942ee83d5fedf0f0ef626a4eb3dd5d3c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 4504 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 4504 schtasks.exe 89 -
resource yara_rule behavioral2/files/0x000a000000023b69-9.dat dcrat behavioral2/memory/4256-13-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4220 powershell.exe 1456 powershell.exe 1196 powershell.exe 3488 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 14 IoCs
pid Process 4256 DllCommonsvc.exe 4720 dllhost.exe 1652 dllhost.exe 4524 dllhost.exe 4536 dllhost.exe 3172 dllhost.exe 1268 dllhost.exe 4200 dllhost.exe 2992 dllhost.exe 984 dllhost.exe 3068 dllhost.exe 3404 dllhost.exe 2904 dllhost.exe 1960 dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 21 raw.githubusercontent.com 41 raw.githubusercontent.com 42 raw.githubusercontent.com 46 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 22 raw.githubusercontent.com 27 raw.githubusercontent.com 45 raw.githubusercontent.com 47 raw.githubusercontent.com 53 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe 1836 schtasks.exe 5020 schtasks.exe 2704 schtasks.exe 5016 schtasks.exe 3012 schtasks.exe 968 schtasks.exe 2728 schtasks.exe 3540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 4256 DllCommonsvc.exe 3488 powershell.exe 1196 powershell.exe 1456 powershell.exe 3488 powershell.exe 4220 powershell.exe 1196 powershell.exe 1456 powershell.exe 4220 powershell.exe 4720 dllhost.exe 1652 dllhost.exe 4524 dllhost.exe 4536 dllhost.exe 3172 dllhost.exe 1268 dllhost.exe 4200 dllhost.exe 2992 dllhost.exe 984 dllhost.exe 3068 dllhost.exe 3404 dllhost.exe 2904 dllhost.exe 1960 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 4256 DllCommonsvc.exe Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 4220 powershell.exe Token: SeDebugPrivilege 4720 dllhost.exe Token: SeDebugPrivilege 1652 dllhost.exe Token: SeDebugPrivilege 4524 dllhost.exe Token: SeDebugPrivilege 4536 dllhost.exe Token: SeDebugPrivilege 3172 dllhost.exe Token: SeDebugPrivilege 1268 dllhost.exe Token: SeDebugPrivilege 4200 dllhost.exe Token: SeDebugPrivilege 2992 dllhost.exe Token: SeDebugPrivilege 984 dllhost.exe Token: SeDebugPrivilege 3068 dllhost.exe Token: SeDebugPrivilege 3404 dllhost.exe Token: SeDebugPrivilege 2904 dllhost.exe Token: SeDebugPrivilege 1960 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 3884 1140 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 82 PID 1140 wrote to memory of 3884 1140 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 82 PID 1140 wrote to memory of 3884 1140 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 82 PID 3884 wrote to memory of 1988 3884 WScript.exe 85 PID 3884 wrote to memory of 1988 3884 WScript.exe 85 PID 3884 wrote to memory of 1988 3884 WScript.exe 85 PID 1988 wrote to memory of 4256 1988 cmd.exe 87 PID 1988 wrote to memory of 4256 1988 cmd.exe 87 PID 4256 wrote to memory of 4220 4256 DllCommonsvc.exe 99 PID 4256 wrote to memory of 4220 4256 DllCommonsvc.exe 99 PID 4256 wrote to memory of 1456 4256 DllCommonsvc.exe 100 PID 4256 wrote to memory of 1456 4256 DllCommonsvc.exe 100 PID 4256 wrote to memory of 1196 4256 DllCommonsvc.exe 101 PID 4256 wrote to memory of 1196 4256 DllCommonsvc.exe 101 PID 4256 wrote to memory of 3488 4256 DllCommonsvc.exe 102 PID 4256 wrote to memory of 3488 4256 DllCommonsvc.exe 102 PID 4256 wrote to memory of 3424 4256 DllCommonsvc.exe 107 PID 4256 wrote to memory of 3424 4256 DllCommonsvc.exe 107 PID 3424 wrote to memory of 2996 3424 cmd.exe 109 PID 3424 wrote to memory of 2996 3424 cmd.exe 109 PID 3424 wrote to memory of 4720 3424 cmd.exe 111 PID 3424 wrote to memory of 4720 3424 cmd.exe 111 PID 4720 wrote to memory of 2276 4720 dllhost.exe 114 PID 4720 wrote to memory of 2276 4720 dllhost.exe 114 PID 2276 wrote to memory of 4280 2276 cmd.exe 116 PID 2276 wrote to memory of 4280 2276 cmd.exe 116 PID 2276 wrote to memory of 1652 2276 cmd.exe 117 PID 2276 wrote to memory of 1652 2276 cmd.exe 117 PID 1652 wrote to memory of 2360 1652 dllhost.exe 118 PID 1652 wrote to memory of 2360 1652 dllhost.exe 118 PID 2360 wrote to memory of 3180 2360 cmd.exe 120 PID 2360 wrote to memory of 3180 2360 cmd.exe 120 PID 2360 wrote to memory of 4524 2360 cmd.exe 123 PID 2360 wrote to memory of 4524 2360 cmd.exe 123 PID 4524 wrote to memory of 2792 4524 dllhost.exe 124 PID 4524 wrote to memory of 2792 4524 dllhost.exe 124 PID 2792 wrote to memory of 3388 2792 cmd.exe 126 PID 2792 wrote to memory of 3388 2792 cmd.exe 126 PID 2792 wrote to memory of 4536 2792 cmd.exe 127 PID 2792 wrote to memory of 4536 2792 cmd.exe 127 PID 4536 wrote to memory of 884 4536 dllhost.exe 128 PID 4536 wrote to memory of 884 4536 dllhost.exe 128 PID 884 wrote to memory of 4544 884 cmd.exe 130 PID 884 wrote to memory of 4544 884 cmd.exe 130 PID 884 wrote to memory of 3172 884 cmd.exe 131 PID 884 wrote to memory of 3172 884 cmd.exe 131 PID 3172 wrote to memory of 1196 3172 dllhost.exe 132 PID 3172 wrote to memory of 1196 3172 dllhost.exe 132 PID 1196 wrote to memory of 460 1196 cmd.exe 134 PID 1196 wrote to memory of 460 1196 cmd.exe 134 PID 1196 wrote to memory of 1268 1196 cmd.exe 135 PID 1196 wrote to memory of 1268 1196 cmd.exe 135 PID 1268 wrote to memory of 3396 1268 dllhost.exe 136 PID 1268 wrote to memory of 3396 1268 dllhost.exe 136 PID 3396 wrote to memory of 4000 3396 cmd.exe 138 PID 3396 wrote to memory of 4000 3396 cmd.exe 138 PID 3396 wrote to memory of 4200 3396 cmd.exe 139 PID 3396 wrote to memory of 4200 3396 cmd.exe 139 PID 4200 wrote to memory of 2896 4200 dllhost.exe 140 PID 4200 wrote to memory of 2896 4200 dllhost.exe 140 PID 2896 wrote to memory of 1248 2896 cmd.exe 142 PID 2896 wrote to memory of 1248 2896 cmd.exe 142 PID 2896 wrote to memory of 2992 2896 cmd.exe 143 PID 2896 wrote to memory of 2992 2896 cmd.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2996
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4280
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3180
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3388
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4544
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:460
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4000
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1248
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"21⤵PID:4596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:5096
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"23⤵PID:1468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2032
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"25⤵PID:2880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2060
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"27⤵PID:4424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1472
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"29⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:3616
-
-
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
217B
MD5d20df6e4d4ad860dd339e157dca06d59
SHA11cda8136ec8345069b6349d4a60c9be990ced39f
SHA2562d43a4b5ebb84fc3c26a2431cf375c4075d9f0cd4ab85d2650c2be1091c6f25c
SHA512db88574cedfaf74e1ac9a88e962d1f3e2a7aff44427c5aa965b85f3b7646ab4ea91fa4506f6408150ab97e7c9d072e15aab7a57d7d59ee593e290d4b7263d994
-
Filesize
217B
MD5d078d08efe29118ad576173b8a5570d7
SHA1764384ba347058307e3caf3c141b81aa89de6479
SHA2565ac284d0b3bda9f5ab3aaef9bb49b76c9ae4f1d1bdb3a1174daaff7fe76216c7
SHA5123f6809f14bfa0922f7fcfb29c25e6226e7cc8ab7f3c79895340b4c50357b5dac9141c9116cf1ab080f2d91f08ccf1588fa0fc1dcbdbfff71b80534dc4a5e21eb
-
Filesize
217B
MD52f00d970324926e019257770114abf9d
SHA19aa3ebe152f3730e8ac1d89cb3f7f91d4d1921cf
SHA2563c21286ae39f5065784042fa96683614f4c41a25d1946c2426faf8c6069494b5
SHA512d78a7fdba18e47c7c8356c12adfab458aa85b8c29f559a5a3ae5200887bad84a80f75e76ab679375b8a538bcf10bcc0a8529b1528db6721d94fc493cde1aead3
-
Filesize
217B
MD50b68816464a3130b1ccebc1dbc42dda2
SHA1ff5eac6e35d2e9bc4f9cb38ba98e7bfbe61b807e
SHA2565ac3259613379e0dde45cc4e0945c31e2660c65dc1ac8575aad1ba9c4684fa42
SHA512c8b2531baf8b59b728a1ba16593767ad5e05db5caa95c2f5c2c009d851c2149f79d21a1a60df877b95c140b08dbb6e43625c8f426cc083939bd933546eca3137
-
Filesize
217B
MD5dcd7c1166dbf6182c727a27d18c1be7d
SHA17d04a10517933952ead697514a64be24a10c3919
SHA256047f472434ba5b4852e88ff2a077d34102421e9923290bace95832072d305123
SHA5124cfabec7695d46532c3e4e3273c4b3c2381cd4e856bd2d4382170e0bbf5d3a055335773061e9f1d586d3acfa67ad007139ce90382762e2355ae8a6f06953b95c
-
Filesize
217B
MD55bb96bf6328de313d299638f01192e5b
SHA11b04693ae73dd2e57f4bd9b454c6601dded80973
SHA25650e20e01ef779868980a2123f4ea04eb9ec642010c5b11b4241a3a232f561b40
SHA51229687b1df8de94796f3df4a9c5477d59109761eee6c8a28b40dcf450306ac9f04ff93dafa2db42afe98cf79eaf30dfc01ca179b57e6bfbd661796331754d2101
-
Filesize
217B
MD5ebc3b1b3deeccee588ac6b63002cfd66
SHA11d93e65168a15d87ff63083608e9b608aa5a4d9d
SHA25649946d8dc79103a10902140b13011659545990a883f6a22b2697ce7f7d090c0c
SHA512551c32a6debea76832d83fdb4720aa66626fe73b789ee16bb5cec52aa4f1175d91cb539e1e3a004b4b29306c19175ca02cc1f1c529652725d0bc7bc1cd9aaae2
-
Filesize
217B
MD5a5b3eac5a5094cc3498ddac4be8cafc3
SHA10757b15acc8d09c0ea6bfc57919fe0b51863db91
SHA256f894dddf2ddc660649ef050fa1b3ae7707b8593620831f8f3ddfabacbcb3b48d
SHA51204dd6bae14205b5957852d3bdb3ec1c190d960144fd5d927973e0d223543f9f24f44672a362cbd83cffe51f570524b2f4423315c1ee0de633414ced3872755ba
-
Filesize
217B
MD50bc81441f2cbd90177888a5a4d4f7986
SHA19e4648eda84b29bbdeaed6cac6917b2cc4cdd139
SHA256ad6d5e229659dec7e6219051bb932f8bdbce86276a2ef7dca1a7922fb12fa7cf
SHA5123155850f209927c606191ea364b052ed4a2434fe6eff0404a1b1c8f0552b44881282316662908a185c45841d4aa65f0a8b23a760f0ecdb5e561a9650772b06cf
-
Filesize
217B
MD575337f8691dc9c196dd1856836c92305
SHA1faf6af7f9a63851584e78ff28b61f82f713b8ade
SHA2561c4fabf8bdda2d82b421c65ad2483e0c9c8616213268fef2ad4cfb957cacf484
SHA512be5a3bd4cd74aae4a45ee62ca0bdd7f89d7aa9f3bb20d19e8b6dd807ca13c2df32121add344df72f1992c7006324b3615130a34ed56c80c857fbb19d4052aeb5
-
Filesize
217B
MD593fe14af2ec2a9cf697ee9d79ca83afa
SHA11caea778544cf597d70a28868a73536197cd29aa
SHA2560eb08f15a004a90aeafc565b4d0a844bceefd916100ba9018d3bb8607b2fd50a
SHA5129b0e122ac5acfe75a497b916f874048c5050b0ffdc86040d95a30896567de43fa5197778bee2964cb7f0ff3e3fa53e0f9ebb0248c4b83fae963df95e5b5484bf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD58cf869d8ac0b9f0f7072e30ef243caa7
SHA1363107f124ac71bb261f69419fb027cfa4dd789a
SHA256b5755586eebbfbed973453bf38a28cbe201a0467b929c9a9dd2ed92c904e4053
SHA512cb023648ffcbaa345035460865aba28e2a5b9fd5669bc64ef5c2035b5bc3f183a2d11196504262482013935d9fd33261f94ecddd9d540873f08912aa2d20bd75
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478