Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:22
Behavioral task
behavioral1
Sample
JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe
-
Size
1.3MB
-
MD5
87fefea3c52c86fda8a3bee4ff9b8902
-
SHA1
4c5bece3da5472b1b0ae36e8b11a957afc224047
-
SHA256
b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef
-
SHA512
2d9d71ff60288c5e8837839315e56f0a039da3f308b88411b1cfba721ac3693ce0bee61abd54413573b0be5ff7b5f4553a463c443ee824909ceb1c7b8ab5ae65
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4132 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 1404 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 1404 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023ce1-10.dat dcrat behavioral2/memory/2184-13-0x0000000000770000-0x0000000000880000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4336 powershell.exe 3136 powershell.exe 4708 powershell.exe 1980 powershell.exe 3012 powershell.exe 2628 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsv.exe -
Executes dropped EXE 14 IoCs
pid Process 2184 DllCommonsvc.exe 3148 spoolsv.exe 3844 spoolsv.exe 3044 spoolsv.exe 2064 spoolsv.exe 1436 spoolsv.exe 3776 spoolsv.exe 3648 spoolsv.exe 3728 spoolsv.exe 1656 spoolsv.exe 448 spoolsv.exe 664 spoolsv.exe 3216 spoolsv.exe 4792 spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 15 raw.githubusercontent.com 23 raw.githubusercontent.com 38 raw.githubusercontent.com 40 raw.githubusercontent.com 44 raw.githubusercontent.com 47 raw.githubusercontent.com 50 raw.githubusercontent.com 16 raw.githubusercontent.com 24 raw.githubusercontent.com 39 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\de-DE\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\VideoLAN\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\en-US\SearchApp.exe DllCommonsvc.exe File created C:\Windows\en-US\38384e6a620884 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 4132 schtasks.exe 2408 schtasks.exe 2908 schtasks.exe 3656 schtasks.exe 4620 schtasks.exe 5084 schtasks.exe 2036 schtasks.exe 3352 schtasks.exe 3120 schtasks.exe 1816 schtasks.exe 1288 schtasks.exe 704 schtasks.exe 4092 schtasks.exe 2960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2184 DllCommonsvc.exe 3136 powershell.exe 3136 powershell.exe 2628 powershell.exe 3012 powershell.exe 4708 powershell.exe 4336 powershell.exe 1980 powershell.exe 1980 powershell.exe 4336 powershell.exe 3148 spoolsv.exe 4708 powershell.exe 2628 powershell.exe 3012 powershell.exe 1980 powershell.exe 3844 spoolsv.exe 3044 spoolsv.exe 2064 spoolsv.exe 1436 spoolsv.exe 3776 spoolsv.exe 3648 spoolsv.exe 3728 spoolsv.exe 1656 spoolsv.exe 448 spoolsv.exe 664 spoolsv.exe 3216 spoolsv.exe 4792 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2184 DllCommonsvc.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 3148 spoolsv.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 3844 spoolsv.exe Token: SeDebugPrivilege 3044 spoolsv.exe Token: SeDebugPrivilege 2064 spoolsv.exe Token: SeDebugPrivilege 1436 spoolsv.exe Token: SeDebugPrivilege 3776 spoolsv.exe Token: SeDebugPrivilege 3648 spoolsv.exe Token: SeDebugPrivilege 3728 spoolsv.exe Token: SeDebugPrivilege 1656 spoolsv.exe Token: SeDebugPrivilege 448 spoolsv.exe Token: SeDebugPrivilege 664 spoolsv.exe Token: SeDebugPrivilege 3216 spoolsv.exe Token: SeDebugPrivilege 4792 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 3992 3944 JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe 84 PID 3944 wrote to memory of 3992 3944 JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe 84 PID 3944 wrote to memory of 3992 3944 JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe 84 PID 3992 wrote to memory of 3088 3992 WScript.exe 85 PID 3992 wrote to memory of 3088 3992 WScript.exe 85 PID 3992 wrote to memory of 3088 3992 WScript.exe 85 PID 3088 wrote to memory of 2184 3088 cmd.exe 87 PID 3088 wrote to memory of 2184 3088 cmd.exe 87 PID 2184 wrote to memory of 4708 2184 DllCommonsvc.exe 104 PID 2184 wrote to memory of 4708 2184 DllCommonsvc.exe 104 PID 2184 wrote to memory of 1980 2184 DllCommonsvc.exe 105 PID 2184 wrote to memory of 1980 2184 DllCommonsvc.exe 105 PID 2184 wrote to memory of 3012 2184 DllCommonsvc.exe 106 PID 2184 wrote to memory of 3012 2184 DllCommonsvc.exe 106 PID 2184 wrote to memory of 2628 2184 DllCommonsvc.exe 107 PID 2184 wrote to memory of 2628 2184 DllCommonsvc.exe 107 PID 2184 wrote to memory of 4336 2184 DllCommonsvc.exe 108 PID 2184 wrote to memory of 4336 2184 DllCommonsvc.exe 108 PID 2184 wrote to memory of 3136 2184 DllCommonsvc.exe 109 PID 2184 wrote to memory of 3136 2184 DllCommonsvc.exe 109 PID 2184 wrote to memory of 3148 2184 DllCommonsvc.exe 115 PID 2184 wrote to memory of 3148 2184 DllCommonsvc.exe 115 PID 3148 wrote to memory of 4816 3148 spoolsv.exe 121 PID 3148 wrote to memory of 4816 3148 spoolsv.exe 121 PID 4816 wrote to memory of 3120 4816 cmd.exe 123 PID 4816 wrote to memory of 3120 4816 cmd.exe 123 PID 4816 wrote to memory of 3844 4816 cmd.exe 126 PID 4816 wrote to memory of 3844 4816 cmd.exe 126 PID 3844 wrote to memory of 1696 3844 spoolsv.exe 127 PID 3844 wrote to memory of 1696 3844 spoolsv.exe 127 PID 1696 wrote to memory of 2852 1696 cmd.exe 129 PID 1696 wrote to memory of 2852 1696 cmd.exe 129 PID 1696 wrote to memory of 3044 1696 cmd.exe 130 PID 1696 wrote to memory of 3044 1696 cmd.exe 130 PID 3044 wrote to memory of 1152 3044 spoolsv.exe 131 PID 3044 wrote to memory of 1152 3044 spoolsv.exe 131 PID 1152 wrote to memory of 2212 1152 cmd.exe 133 PID 1152 wrote to memory of 2212 1152 cmd.exe 133 PID 1152 wrote to memory of 2064 1152 cmd.exe 136 PID 1152 wrote to memory of 2064 1152 cmd.exe 136 PID 2064 wrote to memory of 3744 2064 spoolsv.exe 137 PID 2064 wrote to memory of 3744 2064 spoolsv.exe 137 PID 3744 wrote to memory of 4996 3744 cmd.exe 139 PID 3744 wrote to memory of 4996 3744 cmd.exe 139 PID 3744 wrote to memory of 1436 3744 cmd.exe 140 PID 3744 wrote to memory of 1436 3744 cmd.exe 140 PID 1436 wrote to memory of 1088 1436 spoolsv.exe 141 PID 1436 wrote to memory of 1088 1436 spoolsv.exe 141 PID 1088 wrote to memory of 4584 1088 cmd.exe 143 PID 1088 wrote to memory of 4584 1088 cmd.exe 143 PID 1088 wrote to memory of 3776 1088 cmd.exe 144 PID 1088 wrote to memory of 3776 1088 cmd.exe 144 PID 3776 wrote to memory of 2052 3776 spoolsv.exe 145 PID 3776 wrote to memory of 2052 3776 spoolsv.exe 145 PID 2052 wrote to memory of 2016 2052 cmd.exe 147 PID 2052 wrote to memory of 2016 2052 cmd.exe 147 PID 2052 wrote to memory of 3648 2052 cmd.exe 148 PID 2052 wrote to memory of 3648 2052 cmd.exe 148 PID 3648 wrote to memory of 4476 3648 spoolsv.exe 149 PID 3648 wrote to memory of 4476 3648 spoolsv.exe 149 PID 4476 wrote to memory of 3176 4476 cmd.exe 151 PID 4476 wrote to memory of 3176 4476 cmd.exe 151 PID 4476 wrote to memory of 3728 4476 cmd.exe 152 PID 4476 wrote to memory of 3728 4476 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b507b2019fbe434db033541f5e46e6b5cf1051cacecc1cad4fd99f45e87611ef.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3120
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2852
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2212
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4996
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4584
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2016
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3176
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"20⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4784
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"22⤵PID:2820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5104
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"24⤵PID:4800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4996
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"26⤵PID:8
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1564
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"28⤵PID:4728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:4464
-
-
C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"C:\Program Files\Internet Explorer\de-DE\spoolsv.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD50aa63dbb46d451e47a7a682c64af776d
SHA13b0026f2dae8e9c491ccaa40133755779de35aaa
SHA2569158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA5124d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f
-
Filesize
64B
MD520383053a45c50dfff5546112d445ad8
SHA193ecd445c338bbd2c884f4c5a1389a6f3e0ff580
SHA256044d35f428c7550ef07c34e2074a9b105436ab93ec2c94fd6cffee0e5b0c44d4
SHA51265434c0c69665c7d58a0a6660cdb69f6933bf8bfe9fced5435d92ee64d2c8097761359373c322278e2fb802f564398f8f9aa1ba45cf7953dfc3599781d51e64c
-
Filesize
944B
MD576692775e4781f0c9f0092f5804cfdb1
SHA16740e4e4110028c62282ee1e7eb8be576a2bc23a
SHA2560c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00
SHA5126e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34
-
Filesize
217B
MD5859c317c6bcbc3fbe47aa2630cc86291
SHA13aa42e50e6883737c9efa0d1b8d8823aa8afe44f
SHA256202baa967155c03dc22b9be44fffafd9295ff98785af9d60549fc872fb92df63
SHA51290a6fb9932a35981edd547bb86dcbeaf42ecd99fe0ff02087e10dd554c552a882daa9a1febaf2327625bef874f14e5cb9409395b2d263ac479c0dab936a0239e
-
Filesize
217B
MD581955cba59b706b66fab6dd7d9694634
SHA104dbca58559b8ed3d364fe0d15ca4fd436f2fc7f
SHA2565f6c2f6a3e77178084e49628782ba8791cd8c4ecb53cae85282abcfb66a93ee4
SHA512d93d2a4d27fc6fe19105aa31d00418ddeb95a019b606b69bc14634a944054cf4be44f99942df52ad9fe6025807a3164d1461daef5f7abf725f5a3b400f0d53c7
-
Filesize
217B
MD5565d5b6112c9f559bd1bdfbb184c6dc6
SHA1beb7993590385b40cba8d81e4e4c7c5e876c75f6
SHA2561cad6739057f37d42adf3f0ca32e1f4cff0fc2aac6622956b3acb288388b46cf
SHA512556688e4e171234f941fac6e4f23e6ee6f7b3b9639530a44c2d656ed5112ad40ee56512ef2258a614362498137dc33eccb518ad6745ce1758bc3d196bde4dfbb
-
Filesize
217B
MD55f90f55f4fcfc7fc9ed5d4ee6f7fb309
SHA1a9531d8885e4652ecd164d89cf530601a09687d7
SHA2567b5ca5e9214d3ebf04fcf39f43945bd8d6f4579aa717425bc663ba287710fc13
SHA512db2b2cada996d44773e7da687f123d945823094efccec9b7c51a661e239a31ecf775fcbf3ca80cce45336ecb4445345357b02205062f49bcf9c826b728824f14
-
Filesize
217B
MD5b8310fd044e77b786aaa1663c8582af3
SHA158496ed79b05598a6f187d503b3ef263f9683424
SHA256e90bb4b79e2637b3677133abc32bc3f24ad9785fee52ef64ad4022cc4cba3b8d
SHA5123699aaa2f896c54915001c1f95e011762767282c5592a3b2537cab5cd7811bb09aaf0a937e4c00c9fd98e488735cfc4ac65165d3ad8bfcf5c91b79a43c4c54d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD5c471fc83645eb6bac47e15be0cb55342
SHA1bb2d1ff065fb784d8ab81db8787b1532e173aee4
SHA2568da61418e223d18a1bf459b77f6292cc458d9437024675f7d44792175086d25c
SHA5127c50c3b4b184b08dace97df2cc6cd93a222e233f83575edd1af6bf3ce55d4fe3d184dc17e2293ed4c168bdd25356909b487dee0ed0252e6de595ace2bb97824a
-
Filesize
217B
MD5332cb3ed914e22ddd961493a9fc02b6d
SHA1e7d1b2dc8f27b46728a0a6fd74bcfcd7a83e3ddc
SHA2568311bbc90afdf1351cff7ef6f87b6383ca7ca0fb4393566ee96d875c63e6ee84
SHA512f04a5402c2e153938e89ae832ec64ad725804ecd915bbb1aafdaa9489ae73fff8c8e362a812ed3ef4408218b174fc43f3594e09884d7154f11775778df0c2de0
-
Filesize
217B
MD52152d425b9ce28d7f858cecb89a967a6
SHA14fe5da087b47faeada1005fc2d7bb44db9b3f4f1
SHA256ab8fb708f103530fe2369944549fe6ddd86fc94f2860c4d7a14f418562d3b46e
SHA5128db868dc9a53ce01b35cffaff743d4df368d77e8afad58b0341d8cb6039b3e82a9e89f9d7f28ef7044907f08db10741ae5abc64934b29628f4f06dbc71bc7045
-
Filesize
217B
MD5ade3f459cdc98cf0bb3127ee4e698175
SHA18b76c5041cba8fc5ce041800445eecd46ec041f9
SHA25651cf55130c4d9962cfcfe659bda6d43608b2e517b9d5d11698f124ba9c04b12d
SHA512c8ac340a7f579cd26d172cf2cdb00b58b87628a641f2fdaadc6470b17245610f7b4b026b40751908bac4b5a828bb83d6620aa9463e7803b8b7486ef955ca990f
-
Filesize
217B
MD579d3414cf5c82c2d5678d9b15585636e
SHA1585ed6bafe64e17a5e1ff1ad59f6518894395ab3
SHA256cb0c2824b8bc29b4be631a885ca504120d741b067608bf7c979ca811bccb853a
SHA512cb529a07679040c6c2d6e8b2276ecbba031c1b9b880b62f83f5f16f8b38e3c7e0c2be18b0aa8dab4bc27fa518aba9264440687cbb0d00c6a131b238b6d0778cb
-
Filesize
217B
MD52dcc4d42c2e253df7dbcf1c1ec2fe029
SHA18c2fdff2093c88720df8d9713bd8e4478c7c7bf1
SHA2562838065eec16a4a18236d51ce5db3b28af93d0421f6a920d495281b251c57864
SHA51294c6a7010cff519fcd23fe57f097ec22d40cd0791cd3934d68d334efff9fe91551dd5acf52d6e39f550d0d63d9e6ffe301a48cdcd28904d63fa0e49e362842f4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478