Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 19:38
Behavioral task
behavioral1
Sample
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
-
Size
1.3MB
-
MD5
e3752ee088cc42b47b21d172c8ae5526
-
SHA1
9447e240b9c850e362b0047c3f4c3db58589a43c
-
SHA256
ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8
-
SHA512
a179a3671c79c1fed0efe2c4efcb702aadd20a610b6d819f4139a84427e916d3a9af4528b7aa2d9186a644620c725393a19cedd79f64bbdd35fde7dda8ce42c1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 1388 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 1388 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x0007000000023c98-10.dat dcrat behavioral2/memory/4556-13-0x0000000000760000-0x0000000000870000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1980 powershell.exe 1348 powershell.exe 4436 powershell.exe 3076 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 15 IoCs
pid Process 4556 DllCommonsvc.exe 2356 Registry.exe 2216 Registry.exe 3904 Registry.exe 1672 Registry.exe 876 Registry.exe 4628 Registry.exe 1804 Registry.exe 3028 Registry.exe 1708 Registry.exe 2728 Registry.exe 2732 Registry.exe 2672 Registry.exe 4052 Registry.exe 1192 Registry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 42 raw.githubusercontent.com 57 raw.githubusercontent.com 13 raw.githubusercontent.com 14 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 56 raw.githubusercontent.com 24 raw.githubusercontent.com 46 raw.githubusercontent.com 55 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings Registry.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1320 schtasks.exe 3612 schtasks.exe 1880 schtasks.exe 1752 schtasks.exe 2588 schtasks.exe 4884 schtasks.exe 3164 schtasks.exe 3304 schtasks.exe 4548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4556 DllCommonsvc.exe 4436 powershell.exe 1348 powershell.exe 3076 powershell.exe 1980 powershell.exe 3076 powershell.exe 1348 powershell.exe 4436 powershell.exe 1980 powershell.exe 2356 Registry.exe 2216 Registry.exe 3904 Registry.exe 1672 Registry.exe 876 Registry.exe 4628 Registry.exe 1804 Registry.exe 3028 Registry.exe 1708 Registry.exe 2728 Registry.exe 2732 Registry.exe 2672 Registry.exe 4052 Registry.exe 1192 Registry.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4556 DllCommonsvc.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 3076 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2356 Registry.exe Token: SeDebugPrivilege 2216 Registry.exe Token: SeDebugPrivilege 3904 Registry.exe Token: SeDebugPrivilege 1672 Registry.exe Token: SeDebugPrivilege 876 Registry.exe Token: SeDebugPrivilege 4628 Registry.exe Token: SeDebugPrivilege 1804 Registry.exe Token: SeDebugPrivilege 3028 Registry.exe Token: SeDebugPrivilege 1708 Registry.exe Token: SeDebugPrivilege 2728 Registry.exe Token: SeDebugPrivilege 2732 Registry.exe Token: SeDebugPrivilege 2672 Registry.exe Token: SeDebugPrivilege 4052 Registry.exe Token: SeDebugPrivilege 1192 Registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1184 1868 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 83 PID 1868 wrote to memory of 1184 1868 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 83 PID 1868 wrote to memory of 1184 1868 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 83 PID 1184 wrote to memory of 4388 1184 WScript.exe 85 PID 1184 wrote to memory of 4388 1184 WScript.exe 85 PID 1184 wrote to memory of 4388 1184 WScript.exe 85 PID 4388 wrote to memory of 4556 4388 cmd.exe 87 PID 4388 wrote to memory of 4556 4388 cmd.exe 87 PID 4556 wrote to memory of 1980 4556 DllCommonsvc.exe 99 PID 4556 wrote to memory of 1980 4556 DllCommonsvc.exe 99 PID 4556 wrote to memory of 3076 4556 DllCommonsvc.exe 100 PID 4556 wrote to memory of 3076 4556 DllCommonsvc.exe 100 PID 4556 wrote to memory of 4436 4556 DllCommonsvc.exe 101 PID 4556 wrote to memory of 4436 4556 DllCommonsvc.exe 101 PID 4556 wrote to memory of 1348 4556 DllCommonsvc.exe 102 PID 4556 wrote to memory of 1348 4556 DllCommonsvc.exe 102 PID 4556 wrote to memory of 4620 4556 DllCommonsvc.exe 107 PID 4556 wrote to memory of 4620 4556 DllCommonsvc.exe 107 PID 4620 wrote to memory of 3852 4620 cmd.exe 109 PID 4620 wrote to memory of 3852 4620 cmd.exe 109 PID 4620 wrote to memory of 2356 4620 cmd.exe 111 PID 4620 wrote to memory of 2356 4620 cmd.exe 111 PID 2356 wrote to memory of 2836 2356 Registry.exe 113 PID 2356 wrote to memory of 2836 2356 Registry.exe 113 PID 2836 wrote to memory of 880 2836 cmd.exe 115 PID 2836 wrote to memory of 880 2836 cmd.exe 115 PID 2836 wrote to memory of 2216 2836 cmd.exe 122 PID 2836 wrote to memory of 2216 2836 cmd.exe 122 PID 2216 wrote to memory of 3028 2216 Registry.exe 130 PID 2216 wrote to memory of 3028 2216 Registry.exe 130 PID 3028 wrote to memory of 1456 3028 cmd.exe 132 PID 3028 wrote to memory of 1456 3028 cmd.exe 132 PID 3028 wrote to memory of 3904 3028 cmd.exe 137 PID 3028 wrote to memory of 3904 3028 cmd.exe 137 PID 3904 wrote to memory of 1084 3904 Registry.exe 139 PID 3904 wrote to memory of 1084 3904 Registry.exe 139 PID 1084 wrote to memory of 3076 1084 cmd.exe 141 PID 1084 wrote to memory of 3076 1084 cmd.exe 141 PID 1084 wrote to memory of 1672 1084 cmd.exe 143 PID 1084 wrote to memory of 1672 1084 cmd.exe 143 PID 1672 wrote to memory of 2472 1672 Registry.exe 145 PID 1672 wrote to memory of 2472 1672 Registry.exe 145 PID 2472 wrote to memory of 1520 2472 cmd.exe 147 PID 2472 wrote to memory of 1520 2472 cmd.exe 147 PID 2472 wrote to memory of 876 2472 cmd.exe 149 PID 2472 wrote to memory of 876 2472 cmd.exe 149 PID 876 wrote to memory of 3040 876 Registry.exe 151 PID 876 wrote to memory of 3040 876 Registry.exe 151 PID 3040 wrote to memory of 1884 3040 cmd.exe 153 PID 3040 wrote to memory of 1884 3040 cmd.exe 153 PID 3040 wrote to memory of 4628 3040 cmd.exe 155 PID 3040 wrote to memory of 4628 3040 cmd.exe 155 PID 4628 wrote to memory of 4268 4628 Registry.exe 157 PID 4628 wrote to memory of 4268 4628 Registry.exe 157 PID 4268 wrote to memory of 4772 4268 cmd.exe 159 PID 4268 wrote to memory of 4772 4268 cmd.exe 159 PID 4268 wrote to memory of 1804 4268 cmd.exe 161 PID 4268 wrote to memory of 1804 4268 cmd.exe 161 PID 1804 wrote to memory of 1764 1804 Registry.exe 163 PID 1804 wrote to memory of 1764 1804 Registry.exe 163 PID 1764 wrote to memory of 4888 1764 cmd.exe 165 PID 1764 wrote to memory of 4888 1764 cmd.exe 165 PID 1764 wrote to memory of 3028 1764 cmd.exe 167 PID 1764 wrote to memory of 3028 1764 cmd.exe 167 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\SearchApp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3852
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:880
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1456
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3076
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1520
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1884
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4772
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"19⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4888
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"21⤵PID:3324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1056
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"23⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3888
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"25⤵PID:2176
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2356
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"27⤵PID:3680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:3272
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"29⤵PID:1456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:60
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"31⤵PID:1168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:4120
-
-
C:\Users\Default\Downloads\Registry.exe"C:\Users\Default\Downloads\Registry.exe"32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
204B
MD5b5499a0ff31fe65796772c4e67b9969a
SHA16f554457d8b4d1e7ab80da5c481163cc9d08f91d
SHA2562f48f51f150baa9d2bb15fb7b6851796f761bddf1ecd86e2131215ac4554014b
SHA512a007a90202eadc74a5f412fe548ba049d662b2affbdf403e75d287d96b7130abb15764cfd66439f24d3d5fb85bc7256aa2dc12a2f7d7e41d338879d81768a461
-
Filesize
204B
MD5b06fb4f98f36ee3dd7c256480ca77acb
SHA1473263343752c6f160de850589402b17b77a0e51
SHA2563012def1d9450e6675dbe93c24f44fd462de74c10a536d7a96a9f7085ac48d6c
SHA512917743de1239a419e5fb66b70a820cde56c19b6cf1cf4cc09c31f4125999246a707aaa6f3854fae32f5bb5e59a1a5eac9c18142b7893f509cae9f4789abc154d
-
Filesize
204B
MD594155e5abbbbd3204aa6788bcea4ebf2
SHA1af648b937f5ff1c4c1acf7908d8f5451ca39e3d5
SHA2565af2eeb05e4813d6051c58698fe58bad3b3570fbb579d2c31c1cf66c88dc0385
SHA512f2ecd9c3e3b08c00ccda8474f7d79c4770c2173ea3187cd8191bad4895169a2535d9a317aacec821e03873306362b0e883030bc7e1e760b872042c4a544519a0
-
Filesize
204B
MD5bb5781bf8ebfc46e0d0d00599324d86d
SHA13f6dbf84d87099d02196250caa5c2b844827973b
SHA256888dc3df4c945a0be30e1428c8b9a8460a3778c85898275d6de7b540aad33c67
SHA51265adadfd5282761ade6e65b9cb1aa50659a25e16e4ca30cc8a373f61d45bac1d448893c9c52722ade52ac58725d70a45206b4cb7f7adcf45e3f61c5d18994e70
-
Filesize
204B
MD5c06907db4471e716e6123fe5338ab444
SHA1e5f7db57d7df936a91429d3e670931e8e0cfaae1
SHA256d7ab6239d27270c1345f0fda04de110739681a8a1bae74ca77dd257129605487
SHA51245fe330f788335aca1db3a4d0b71b72658a20c7f33f21cda9e35bd7c92e3264979770c5f90d5673ddcfe9556c3e84d5bf96d7c07417b54f1e9f8b45ebe733236
-
Filesize
204B
MD5f52993bb53596dbc2775bd821c97ac13
SHA14f78f970265818ebe1ba96878847eb8d286a58c3
SHA25602fe1d70d03a5383deac7465ad086e502a8697046c7337ad84dc5511f008594d
SHA512128c2b293f739e2fd4ceb7750729b7ebb40f94968a4d6014dac9453638150c61d70223b3b80c7ecfdfc293c286e5ba0aa7592b92b181a0bf1900b86b4c5ee705
-
Filesize
204B
MD55a04d7fbf2c80014581e18e0c7223cee
SHA17f094783cbd247b671a82c036d507c259dc64576
SHA256fb28fa8433e1de6a3061eb067e2cb3b528641f6662ecd949d35cf2fb3b1b0a2a
SHA5121821cd6dbc11bf44f22ac3fb1685a9a27a4cdaebce0ba2d85e61fd77dc04b7efedd871dc8d3671e3e41ce072896d0a2e5981f3a2a2f927644a57fa792c34d3ae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
204B
MD51b781902246e6f66ebd40d1dbaf79808
SHA1cb41777bb526ab172acadfe7e7a8cc84c540afcc
SHA25603234cfed4c497e3c373f9e96ff322e40d8195d237a771c75b07f11d33e3b304
SHA512b68d942c9f9a144a29ff8ef1c971fa515635b3b2db7413e1376696537b8fc5b475f20c53de71576517703d95e8806037a257c07f21666c8ce0643353b454638a
-
Filesize
204B
MD5c481a6a5a825a8a7faddedc4a4725b05
SHA1aa4f049b4b6119a3af7eefbf79a7cbe99bfa723d
SHA2567359d9e71e4deac7ba825aa9488d182dc6568ba574ac10e3992dd112d1c5fc48
SHA512d7b393746ba2f37bef374c6096aec899282f28567198fb01b93173cd205e8e27b79e3ec2f7c4f076c64a9af3f952f8426b1fc852d35cdf0332c45d30778ebe44
-
Filesize
204B
MD535b8cdc94e95557ab212107ac146fcd9
SHA1ef34c560cc310f06104d30a8147c75b946750cea
SHA2562c5a22254b4b87cfdae2165584210eec593cc8986cab2d442786030553fbd897
SHA512c5918bb1bbeca5824f3a3ed5cd727bf6b755bdfed6db7cb9290d9820057f95daf051faae370f64736a86155f49fd023aaef25943c4e1a990c161ea8592d23b0d
-
Filesize
204B
MD5c78b31368beeb09a5c99e2de30f5892d
SHA11df88c7fad68faa67e9c93920e4437fd3d8e14c1
SHA25641f23b7ab3be3320db7a85b83449d1ef7e8edf45634c847d9e9b2fd136f18642
SHA512848c59b23bf65bd662f738890dd089ee6db0b0d18472af5ce98247132805de0cc03578d4eebf51df3984b032ccbbfc21e35c9d6ba47e0071fcee1ff6788e5e36
-
Filesize
204B
MD541f42d636bb85e5928b1ad62fcd064f1
SHA10567156817659b495950627611bc6e1044825897
SHA2561a01a2c0131ab86b7c48bd6514d6ce2cb5019c37c0f995effd449ffc821c1c28
SHA5126dfa22a76889105e3a0f9abaf1278ded10d6a048d1581d93d62b3a257a3397db492089b965cc4fad1f7878ee7e7f98560d2be2b45f8d1577ccb8ab7d2c71a606
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478