Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:20
Behavioral task
behavioral1
Sample
JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
-
Size
1.3MB
-
MD5
087ec94d7adc88df60aa78bb8def7548
-
SHA1
e6bfda2c1b9159104cdb61834aeb8f37adb432e0
-
SHA256
88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2
-
SHA512
a045878121fad3960916f9f77d13dd9f07b94955e7e6cf39f950793e9895526b67e054d0d08389829993d21d77673fb2a79417381a5f3b4bfd7766c8c735a684
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 2484 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 2484 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b8c-10.dat dcrat behavioral2/memory/4800-13-0x00000000004F0000-0x0000000000600000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3968 powershell.exe 2204 powershell.exe 3960 powershell.exe 4872 powershell.exe 2956 powershell.exe 3816 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sysmon.exe -
Executes dropped EXE 13 IoCs
pid Process 4800 DllCommonsvc.exe 3684 sysmon.exe 2676 sysmon.exe 3596 sysmon.exe 1844 sysmon.exe 3428 sysmon.exe 5044 sysmon.exe 2112 sysmon.exe 2336 sysmon.exe 464 sysmon.exe 804 sysmon.exe 1844 sysmon.exe 1432 sysmon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 18 raw.githubusercontent.com 25 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 49 raw.githubusercontent.com 17 raw.githubusercontent.com 40 raw.githubusercontent.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Boot\Resources\it-IT\SearchApp.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings sysmon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3868 schtasks.exe 2680 schtasks.exe 3520 schtasks.exe 5032 schtasks.exe 3492 schtasks.exe 808 schtasks.exe 1956 schtasks.exe 396 schtasks.exe 3636 schtasks.exe 3472 schtasks.exe 3268 schtasks.exe 1712 schtasks.exe 4264 schtasks.exe 1652 schtasks.exe 3176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4800 DllCommonsvc.exe 2204 powershell.exe 3968 powershell.exe 3816 powershell.exe 4872 powershell.exe 2956 powershell.exe 3960 powershell.exe 2956 powershell.exe 3816 powershell.exe 2204 powershell.exe 4872 powershell.exe 3968 powershell.exe 3960 powershell.exe 3684 sysmon.exe 2676 sysmon.exe 3596 sysmon.exe 1844 sysmon.exe 3428 sysmon.exe 5044 sysmon.exe 2112 sysmon.exe 2336 sysmon.exe 464 sysmon.exe 804 sysmon.exe 1844 sysmon.exe 1432 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4800 DllCommonsvc.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 3684 sysmon.exe Token: SeDebugPrivilege 2676 sysmon.exe Token: SeDebugPrivilege 3596 sysmon.exe Token: SeDebugPrivilege 1844 sysmon.exe Token: SeDebugPrivilege 3428 sysmon.exe Token: SeDebugPrivilege 5044 sysmon.exe Token: SeDebugPrivilege 2112 sysmon.exe Token: SeDebugPrivilege 2336 sysmon.exe Token: SeDebugPrivilege 464 sysmon.exe Token: SeDebugPrivilege 804 sysmon.exe Token: SeDebugPrivilege 1844 sysmon.exe Token: SeDebugPrivilege 1432 sysmon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3628 wrote to memory of 4788 3628 JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe 82 PID 3628 wrote to memory of 4788 3628 JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe 82 PID 3628 wrote to memory of 4788 3628 JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe 82 PID 4788 wrote to memory of 3188 4788 WScript.exe 83 PID 4788 wrote to memory of 3188 4788 WScript.exe 83 PID 4788 wrote to memory of 3188 4788 WScript.exe 83 PID 3188 wrote to memory of 4800 3188 cmd.exe 85 PID 3188 wrote to memory of 4800 3188 cmd.exe 85 PID 4800 wrote to memory of 3960 4800 DllCommonsvc.exe 102 PID 4800 wrote to memory of 3960 4800 DllCommonsvc.exe 102 PID 4800 wrote to memory of 4872 4800 DllCommonsvc.exe 103 PID 4800 wrote to memory of 4872 4800 DllCommonsvc.exe 103 PID 4800 wrote to memory of 2204 4800 DllCommonsvc.exe 104 PID 4800 wrote to memory of 2204 4800 DllCommonsvc.exe 104 PID 4800 wrote to memory of 3968 4800 DllCommonsvc.exe 105 PID 4800 wrote to memory of 3968 4800 DllCommonsvc.exe 105 PID 4800 wrote to memory of 3816 4800 DllCommonsvc.exe 106 PID 4800 wrote to memory of 3816 4800 DllCommonsvc.exe 106 PID 4800 wrote to memory of 2956 4800 DllCommonsvc.exe 107 PID 4800 wrote to memory of 2956 4800 DllCommonsvc.exe 107 PID 4800 wrote to memory of 1148 4800 DllCommonsvc.exe 114 PID 4800 wrote to memory of 1148 4800 DllCommonsvc.exe 114 PID 1148 wrote to memory of 2820 1148 cmd.exe 116 PID 1148 wrote to memory of 2820 1148 cmd.exe 116 PID 1148 wrote to memory of 3684 1148 cmd.exe 120 PID 1148 wrote to memory of 3684 1148 cmd.exe 120 PID 3684 wrote to memory of 3636 3684 sysmon.exe 124 PID 3684 wrote to memory of 3636 3684 sysmon.exe 124 PID 3636 wrote to memory of 3388 3636 cmd.exe 126 PID 3636 wrote to memory of 3388 3636 cmd.exe 126 PID 3636 wrote to memory of 2676 3636 cmd.exe 127 PID 3636 wrote to memory of 2676 3636 cmd.exe 127 PID 2676 wrote to memory of 4972 2676 sysmon.exe 128 PID 2676 wrote to memory of 4972 2676 sysmon.exe 128 PID 4972 wrote to memory of 1452 4972 cmd.exe 131 PID 4972 wrote to memory of 1452 4972 cmd.exe 131 PID 4972 wrote to memory of 3596 4972 cmd.exe 132 PID 4972 wrote to memory of 3596 4972 cmd.exe 132 PID 3596 wrote to memory of 3020 3596 sysmon.exe 133 PID 3596 wrote to memory of 3020 3596 sysmon.exe 133 PID 3020 wrote to memory of 4948 3020 cmd.exe 135 PID 3020 wrote to memory of 4948 3020 cmd.exe 135 PID 3020 wrote to memory of 1844 3020 cmd.exe 137 PID 3020 wrote to memory of 1844 3020 cmd.exe 137 PID 1844 wrote to memory of 4568 1844 sysmon.exe 138 PID 1844 wrote to memory of 4568 1844 sysmon.exe 138 PID 4568 wrote to memory of 4336 4568 cmd.exe 140 PID 4568 wrote to memory of 4336 4568 cmd.exe 140 PID 4568 wrote to memory of 3428 4568 cmd.exe 141 PID 4568 wrote to memory of 3428 4568 cmd.exe 141 PID 3428 wrote to memory of 1384 3428 sysmon.exe 142 PID 3428 wrote to memory of 1384 3428 sysmon.exe 142 PID 1384 wrote to memory of 2324 1384 cmd.exe 144 PID 1384 wrote to memory of 2324 1384 cmd.exe 144 PID 1384 wrote to memory of 5044 1384 cmd.exe 145 PID 1384 wrote to memory of 5044 1384 cmd.exe 145 PID 5044 wrote to memory of 3176 5044 sysmon.exe 146 PID 5044 wrote to memory of 3176 5044 sysmon.exe 146 PID 3176 wrote to memory of 2460 3176 cmd.exe 148 PID 3176 wrote to memory of 2460 3176 cmd.exe 148 PID 3176 wrote to memory of 2112 3176 cmd.exe 149 PID 3176 wrote to memory of 2112 3176 cmd.exe 149 PID 2112 wrote to memory of 32 2112 sysmon.exe 150 PID 2112 wrote to memory of 32 2112 sysmon.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\sysmon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kIZaRYwl1q.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2820
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3388
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1452
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4948
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4336
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2324
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2460
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"19⤵PID:32
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2588
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"21⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4364
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"23⤵PID:5092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3076
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"25⤵PID:4792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3704
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"27⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1748
-
-
C:\Users\Admin\Templates\sysmon.exe"C:\Users\Admin\Templates\sysmon.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"29⤵PID:3476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:4760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
400B
MD5596e43d85d1c25052a79828316838daa
SHA1ea5097f3bc59912a83e49b9b82b7c61d47211abe
SHA2567f1e24cc58c330028ba731a195ffc868257850684faf12d1ff9c31d2696ee017
SHA5122bf4e607a30eb3407561e8edb0032f9ba25b375eb48235f890fecfa515ca287f66745c4b13f4754634aef9b5db61f48a349027b46a0ecf274730d5806f1b2971
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
200B
MD5f3a04dd5fad112f291d0d2fa7bde538d
SHA18e7205c106640fc9e191e558407d78442cc8829a
SHA2566ac4409d0908a71df69f2c2d0ce464227e3d6ef123e5e4ff89de9c8514ccf7d2
SHA512f9f2d4e50bc8c1fc21a492f2b7df003fbf8c8ac4f078f5962a94a4531afdfce2795589ddf7ad52d66159bbf52cca96ffbf81515b8258c7053341cc07d20fd580
-
Filesize
200B
MD5e885b0da24888fb541e6ff524cb95f05
SHA1b05a49302fa01a15f4e54a4cedf22b0ce9c13e2c
SHA256f1082cfdd72709e14f1362195cdb350167c93555f6739f81a01ebf4b7addfe23
SHA51220c0ebcb65d341a7edeaaf5c53033a977c5a514d11fb9544c53002a76a40c0ca303596ca3b4be6d19ffbbf92bafc3e0e1135e808af3128c488c271a0e86a6042
-
Filesize
200B
MD569d4f6fdc593f81f57749aef7ed5d239
SHA1257ca0ea2a31238ea5dcea25ac22907bea6a1301
SHA2567d36c5888d13196213157a39ee01a9457c6a2ec9d2eeac9f4262e5c3fee74c5c
SHA512f7a552503dc3fc971af59870a03c0e3ab9f30b35ed190710786e9ec88aebff518f1589f48bbf37cff9d3b5b134a6288b8a7322869b89e7960896968dc2d34217
-
Filesize
200B
MD56532e075dda73fe5bc803b2e4807e6fd
SHA10f0e09a9a35c239c52e740e4fda6360fc67069d9
SHA2568c20ce1d2c327fee7cb0a98f3c79fcabe43ae2e12374d45c93a73fdf11b5540a
SHA51237a24ae41f9aa9afc74b8a9ecb57027009ff87253efe1e433a2ec01056d4bc0e9e2ce0f46566889f30586ae8b0034f09887f255bfae01253e4d7afa391754ca0
-
Filesize
200B
MD52ca9f2877f3a54c17c4b30a277e05388
SHA1000d1efde7365fe62f0685e5b649a0757c622676
SHA256d91db55fab3700b5707eaa9dfa296b5dbf39dc3228b4f648420f154bbef86dba
SHA5120c985e1001047132edab20a37da531af706773be8523996f675bb92db3b3b8b07f3aa36e4ee6771c4af4dc67507686504a3ec525dd1d3b9d19fa3ac264d07ba5
-
Filesize
200B
MD5d0387f83178b01bf5348d8b6d758d629
SHA1513234cb1bb86394c2244927b579f637d29faade
SHA2564e27656981fd3ca62774f08e5abd5fea841e746e9d107cf26ca5c8bdbeefac21
SHA51291c9a40edaca71391bfcff641eaed5ac023dc93f7fc7a64552abfb5e0c52c8911de2d0aab65984f5b0edb1aaed4e9a430fe0266b0a743c51724e74a57cf2543e
-
Filesize
200B
MD554a57cf27e9dacd1fc725337aaadacbe
SHA1c28f41dd2cb733059ad439fe726572ee65bd17cb
SHA25678a2d7568a265605676694aab725b5928023900e77159aaa429672ac38faba7f
SHA512ca2372772df50ed2b0617e55d1161ef616c18eb32163e2eb07078a345ae0395da028e2ce9317ade7d8ddda04316e1545e75d86fd5373c02a5315264ac6df5cad
-
Filesize
200B
MD572b1f6e8581c6939cba901fb18e7f514
SHA13ccfeb7518edeee366cc9fdb3700c87ff15500e4
SHA25639b2c71c065761aff504f60374bcbfe0fc30a1c871834375cc2305ee648e5dc9
SHA51243a61ce7da77918ea12b63e5605b6953ec6a06042698bff24af00b2d83c8f53be9b3cfff91bc5435d34ca2518ef644571cb333d99bf4037bc0d21dc38a0e89da
-
Filesize
200B
MD57894d67972628d3d84d68815d5bf168e
SHA1bf701bb2fd6d790daf60afae032c461926e5dc52
SHA256a5706cc6e6523f40163070055b9c1084f6749fcadfaf7cfac651648dcc0cebff
SHA512e30605227ba9610d71257ae3250c303cc24362bcaaafbe6124cf31c4a600d547f955dfa81739ba7de32c4e4ac0a391cd58ba37ea9a9e30726acfb43cafe1ba6b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
200B
MD56a9dfa895745a9f2c2f26db250a5aea7
SHA1610a4e5a119f37c6ccd0693ae1361e75fc830921
SHA2568cc4b5ee95f4cf8c50210d17cc6d3d406b132084fe1841ce0141a5927101cfe1
SHA512abdeedb56ccc766080ce1a29020473cae370bdd48d75a54ebca700fa9b201736eaf5a481271b7a94f5390d5cbd2daf3ae474b85dbd5cde984716f219b34cad18
-
Filesize
200B
MD56e716b008076fc896d126e91fc439aaa
SHA1c8a7aa45d2c7e9990801188053173f0c2b06f893
SHA256f08528f1eef456e546df2c3b60b0b0bf51d46c0d2e85e51c15c7ae46a63a170e
SHA512698fccd0d4ec8a76308d81463f3368eb3514a5245c4648be62848c3a3291d8daef1db681601c2ec406a7f94834f62f8aaed531d6da24fddef01c1e0e122c11f4
-
Filesize
200B
MD5c83e7d3a8951d321636ec57d7554a1a5
SHA1fb3fc59300f44fe9cfafbfc8df24c9dfb76e9a7c
SHA2568f4d290a07f4a96ca2992b140aeac87bbc9e6cc3f65671cb14be57866f858231
SHA512d93b2d75a876b614676a94e6d39f9ede98073ca146451e252b079cee798f8bc1a79e42aac9b0fa568dfac239fc0344489c294fc7763d80ff7c09202a921b1365
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478