Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:51
Behavioral task
behavioral1
Sample
JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe
-
Size
1.3MB
-
MD5
5a0aeea3a948710e406ba5ab73ad36f4
-
SHA1
4f7ca123a53039d31712dea1d29fe1edc1a8662c
-
SHA256
8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79
-
SHA512
20cb22496db596c9bf9c80495ba93d05fdf6762bcb69db01820d1bbb218a92fdba89278ab2568d974e1dd96adc7feb03c558b252fdf81224a320078d6703d09e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2980 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2980 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016c73-12.dat dcrat behavioral1/memory/2948-13-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2996-87-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/2744-147-0x00000000009A0000-0x0000000000AB0000-memory.dmp dcrat behavioral1/memory/2724-207-0x0000000000A50000-0x0000000000B60000-memory.dmp dcrat behavioral1/memory/1100-267-0x00000000012B0000-0x00000000013C0000-memory.dmp dcrat behavioral1/memory/2428-448-0x00000000000A0000-0x00000000001B0000-memory.dmp dcrat behavioral1/memory/2716-508-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/1956-569-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat behavioral1/memory/320-630-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1960 powershell.exe 2796 powershell.exe 2724 powershell.exe 2548 powershell.exe 2584 powershell.exe 2792 powershell.exe 1984 powershell.exe 1988 powershell.exe 1948 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2948 DllCommonsvc.exe 2996 dllhost.exe 2744 dllhost.exe 2724 dllhost.exe 1100 dllhost.exe 284 dllhost.exe 1148 dllhost.exe 2428 dllhost.exe 2716 dllhost.exe 1956 dllhost.exe 320 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2296 cmd.exe 2296 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logs\HomeGroup\cmd.exe DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2396 schtasks.exe 2532 schtasks.exe 2668 schtasks.exe 2492 schtasks.exe 2968 schtasks.exe 1744 schtasks.exe 1452 schtasks.exe 3036 schtasks.exe 2232 schtasks.exe 2032 schtasks.exe 1812 schtasks.exe 1528 schtasks.exe 2636 schtasks.exe 2772 schtasks.exe 2764 schtasks.exe 2700 schtasks.exe 2540 schtasks.exe 1932 schtasks.exe 2728 schtasks.exe 2696 schtasks.exe 384 schtasks.exe 848 schtasks.exe 1700 schtasks.exe 1956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2948 DllCommonsvc.exe 2948 DllCommonsvc.exe 2948 DllCommonsvc.exe 1960 powershell.exe 2724 powershell.exe 1948 powershell.exe 2796 powershell.exe 1984 powershell.exe 1988 powershell.exe 2548 powershell.exe 2584 powershell.exe 2792 powershell.exe 2996 dllhost.exe 2744 dllhost.exe 2724 dllhost.exe 1100 dllhost.exe 284 dllhost.exe 1148 dllhost.exe 2428 dllhost.exe 2716 dllhost.exe 1956 dllhost.exe 320 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2948 DllCommonsvc.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2996 dllhost.exe Token: SeDebugPrivilege 2744 dllhost.exe Token: SeDebugPrivilege 2724 dllhost.exe Token: SeDebugPrivilege 1100 dllhost.exe Token: SeDebugPrivilege 284 dllhost.exe Token: SeDebugPrivilege 1148 dllhost.exe Token: SeDebugPrivilege 2428 dllhost.exe Token: SeDebugPrivilege 2716 dllhost.exe Token: SeDebugPrivilege 1956 dllhost.exe Token: SeDebugPrivilege 320 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1708 2408 JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe 28 PID 2408 wrote to memory of 1708 2408 JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe 28 PID 2408 wrote to memory of 1708 2408 JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe 28 PID 2408 wrote to memory of 1708 2408 JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe 28 PID 1708 wrote to memory of 2296 1708 WScript.exe 29 PID 1708 wrote to memory of 2296 1708 WScript.exe 29 PID 1708 wrote to memory of 2296 1708 WScript.exe 29 PID 1708 wrote to memory of 2296 1708 WScript.exe 29 PID 2296 wrote to memory of 2948 2296 cmd.exe 31 PID 2296 wrote to memory of 2948 2296 cmd.exe 31 PID 2296 wrote to memory of 2948 2296 cmd.exe 31 PID 2296 wrote to memory of 2948 2296 cmd.exe 31 PID 2948 wrote to memory of 1984 2948 DllCommonsvc.exe 57 PID 2948 wrote to memory of 1984 2948 DllCommonsvc.exe 57 PID 2948 wrote to memory of 1984 2948 DllCommonsvc.exe 57 PID 2948 wrote to memory of 1988 2948 DllCommonsvc.exe 58 PID 2948 wrote to memory of 1988 2948 DllCommonsvc.exe 58 PID 2948 wrote to memory of 1988 2948 DllCommonsvc.exe 58 PID 2948 wrote to memory of 1960 2948 DllCommonsvc.exe 59 PID 2948 wrote to memory of 1960 2948 DllCommonsvc.exe 59 PID 2948 wrote to memory of 1960 2948 DllCommonsvc.exe 59 PID 2948 wrote to memory of 1948 2948 DllCommonsvc.exe 60 PID 2948 wrote to memory of 1948 2948 DllCommonsvc.exe 60 PID 2948 wrote to memory of 1948 2948 DllCommonsvc.exe 60 PID 2948 wrote to memory of 2548 2948 DllCommonsvc.exe 61 PID 2948 wrote to memory of 2548 2948 DllCommonsvc.exe 61 PID 2948 wrote to memory of 2548 2948 DllCommonsvc.exe 61 PID 2948 wrote to memory of 2584 2948 DllCommonsvc.exe 62 PID 2948 wrote to memory of 2584 2948 DllCommonsvc.exe 62 PID 2948 wrote to memory of 2584 2948 DllCommonsvc.exe 62 PID 2948 wrote to memory of 2792 2948 DllCommonsvc.exe 63 PID 2948 wrote to memory of 2792 2948 DllCommonsvc.exe 63 PID 2948 wrote to memory of 2792 2948 DllCommonsvc.exe 63 PID 2948 wrote to memory of 2796 2948 DllCommonsvc.exe 64 PID 2948 wrote to memory of 2796 2948 DllCommonsvc.exe 64 PID 2948 wrote to memory of 2796 2948 DllCommonsvc.exe 64 PID 2948 wrote to memory of 2724 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2724 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2724 2948 DllCommonsvc.exe 65 PID 2948 wrote to memory of 2844 2948 DllCommonsvc.exe 75 PID 2948 wrote to memory of 2844 2948 DllCommonsvc.exe 75 PID 2948 wrote to memory of 2844 2948 DllCommonsvc.exe 75 PID 2844 wrote to memory of 1808 2844 cmd.exe 77 PID 2844 wrote to memory of 1808 2844 cmd.exe 77 PID 2844 wrote to memory of 1808 2844 cmd.exe 77 PID 2844 wrote to memory of 2996 2844 cmd.exe 78 PID 2844 wrote to memory of 2996 2844 cmd.exe 78 PID 2844 wrote to memory of 2996 2844 cmd.exe 78 PID 2996 wrote to memory of 2596 2996 dllhost.exe 81 PID 2996 wrote to memory of 2596 2996 dllhost.exe 81 PID 2996 wrote to memory of 2596 2996 dllhost.exe 81 PID 2596 wrote to memory of 1300 2596 cmd.exe 83 PID 2596 wrote to memory of 1300 2596 cmd.exe 83 PID 2596 wrote to memory of 1300 2596 cmd.exe 83 PID 2596 wrote to memory of 2744 2596 cmd.exe 84 PID 2596 wrote to memory of 2744 2596 cmd.exe 84 PID 2596 wrote to memory of 2744 2596 cmd.exe 84 PID 2744 wrote to memory of 2368 2744 dllhost.exe 85 PID 2744 wrote to memory of 2368 2744 dllhost.exe 85 PID 2744 wrote to memory of 2368 2744 dllhost.exe 85 PID 2368 wrote to memory of 688 2368 cmd.exe 87 PID 2368 wrote to memory of 688 2368 cmd.exe 87 PID 2368 wrote to memory of 688 2368 cmd.exe 87 PID 2368 wrote to memory of 2724 2368 cmd.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b62f124a265555480bc8cd19f194524e4d3f660431217891098147bcf80db79.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1808
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1300
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:688
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"11⤵PID:2928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2100
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"13⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2800
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"15⤵PID:2056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:408
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"17⤵PID:1092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2948
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"19⤵PID:2016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1008
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"21⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1812
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"23⤵PID:2368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3012
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546eee2af9c38ab4001baba9d5cb6b39e
SHA18f5996d9a74e4fa035bd2271112437b0f90b07b7
SHA25680dcec2227933199e05bea80b406d7698a7916691463494c157751f7ecf372d7
SHA5126b5b71c4162f4a0185730f5224d9c40de082b011fe8d653714fa0b99b3d4ae5c9ff2ff374e5d4c1bc805316632b42e4cf158fee172f1858b14c32679b2bf20b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2254e8b84a56ca82dd88725535cadd7
SHA14669bfc0d3fe5802a5f2eccd4f50f37b1220a594
SHA256def54ca9d20a2be98814167bb43fcfc71cd325b0ea8b6034da1278d982785043
SHA51271e23120c716058551c2fa15e2b16f24b5d791c5b8808763fbeba557d7d3e77bc34581e4b57fc40b7e64bab96a1c0df829e8f2100d7e7ff3285e88f7a4ce1d79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd7fc67d3ca45d6c19b96f9b4ea41e05
SHA14b15897c30f73aa1469c6f67e8a6351e797e9f44
SHA256cb3d93cdc919719b7ef197b58e46d658a93b4e720f601f0909ba8006145109d4
SHA512d063bad47b836dd3953abac477495b79aef2d1b6ba0e065067bb1117bd01bff735fdb32efeff8cad719ca4725bf987ba2f3a7f05017cb02aad97709ab489787e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518a230607bb9d1a012fe00e705fa37ec
SHA145229f90ebc20612ed4589551355bb71deaf829d
SHA25617bd7d6d683bf08e2601a0f7537626df8c4be043a0d60ee7cdd1f084ac1c67cf
SHA51254cfbf03bc88addfe7066f141714458eb83c5cb00b1339786cd88f413fc0d7f250659b7f341fb1948ac07cd921445d5dd7c4085da193f3aaaa4924e6f6931035
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b116f46d1478849c8a666626bd840138
SHA11da8272105dab865351dc502aac86cfea4c8c369
SHA25613119ba9df91d0a892384f5019fd4c2f81b753cee2c09ff4e3b081f1216d863c
SHA512d606789b2366596f2f11d82f7e8a93bd9e2e08f4fcdf9f81d9e5f70bf92cd4678bb3b0cfff860da3d0d9c6d69b5690e0c0c31c421ec7a300b02184bfbd4c404c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8b128b520a875d95221f1c94ea3ec02
SHA119a37e137e95152411a37c50161a3d80d71d090d
SHA256a40bd311d26eabd8d1b8afbbc400f062ad1e8314f0dc91bcb0475fd9afc7bb06
SHA512b7f0319645cc47b0e0a2f9f1ace16f49fd0a1a9fbf4428ad424f2d597884fee6b7324d6545d187e6aa9e75ece503d516fc4eb8bc51d676a150bb9328e65cecb8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d170fa9e181496043df247635ccfb9c
SHA1f51a57463f1c4b8173f73bb3e78aed2bd042dd18
SHA256a292ce457da526d636239e40f10e125829d9ced8639b2e568cad86172d461024
SHA512637920ffd04a01ea7089fd02304a50806bdcb1d64d7a91973c6f6abfd727cf4cdfa58a7112a36fa1619de31e60de5204edd5438b1cccee7304e96258a0d51dce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1049bb7c07980c1395ff5acdedf819f
SHA1f30730b8160bcf6c8957260dc80888783a0ce2a0
SHA25615f2c297902ce34939ef2428056dd1b62a20e72a8adcca965f001a8ef8946487
SHA51280c73baf83ea9aa92c4679e14de8fb89abb610132625e056f41afe951eee7cc02daf9fda17e1730e038243ae8a304bee72eaa8e2facb5c2e7d497e114c1d1a7c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD5d565de685c5926d1a89abdd72ab3bf29
SHA18657e028e5441cded00de1f5199af91f93af0a72
SHA25617863dad2998eaed7cb2d6a11ab49c45c71fa112f5532a44d8871c072cb48321
SHA512943bf62fc452ae2a71f1ae359ce49598cab4a1895f8b2060b301bd3006bf17fa542e98a0d353d077e8b40b72b7d65c3038b56da56bf08fb6f98abc6e5a24d848
-
Filesize
201B
MD50ce609ff8ad60663be045eef1a939e44
SHA1a7414d4d5570dc102949892d19ffae1636b0517c
SHA256b9f629ffcbef09f9741ca72e60e27b56cc352537e0907d317080ea2833f47348
SHA512daecaa42cef0efbf45f92c9d9d6a58284693f80757ec74fcefcd0582b9954d73b87c1ccfacbb807bfcf6d264475eaede3694ec9105aac83dacc34800873c4779
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD533ff9a706a353bfcb5c9b4742d870867
SHA1cdc09bc22123ee08b546392e67ec41c25e3c80af
SHA25675dfaedcfc659903208a890619468f2547bc75ef0b88a22b4ce3771fab647061
SHA51268edcf6286679a8558649863fb1688983fbeb8039252e0947cb418e39fc6a14c70d527f79a16d8f72d71f511c9254dc685ca59cfe02e57054685dd95f09ea9a0
-
Filesize
201B
MD5be10d459ca8a342d6b6d1a2a129804ca
SHA115fd58eab8563c305dceadca78ed22dd03d93388
SHA25658fb4bf4ad67ad74834be0f23e7b3479479e6b23acddc0fea5b45a4b56225f16
SHA51235d7e70b9cf581185940404d2a933834d47bfa093680f7b820f7429136fdad6c0e20fed352c782e5880b63d0ab06990396f173521a0cc55ae90ac8fc67501368
-
Filesize
201B
MD53b7cc0e074b79895f25a0c77286373a7
SHA1ed12c8d06c400a7e0dcf6523ab1986825fdaa655
SHA2560df68536bc21678d15c62407418e21013e8d7b8e6e66052bc89c79f66aa9a246
SHA512669b3a80693e6934c3f9e7052e768e5b5c316b6812879b69c9484be8b485551dbbfccd7bfe96dfae42f5bbc26df0de7bc1cd18bc0c267b5e72dcae9aa167027c
-
Filesize
201B
MD58ffaad6c9988dddd86f9a3caf88bfe00
SHA186219e07976c07de132ff45666ea19a9ee181da3
SHA25673bc4516b4ad1131fd76130845451289ee9230c2dfe5f7a7594f8c0522c759bc
SHA512486466656a5ec276060337d9c9899b51f933947c20a06e08ff48593aaa1555195c77b0a3f93e27acc4248d0a36f474653868aa83eb5cab047aef0b9dbbb17794
-
Filesize
201B
MD54f18c8ef221dfda703f41592259c0423
SHA18cbba39365135dfb026a6797c17d039f2fd6dbfd
SHA2562da8f25c44d5bfb2f334fc72cb31ff33c650f1da0c2d8cf4810e7c27b15da128
SHA5125fc461e8b0dee27782511da3b683c967780428c7a45e52d257e948a529de31dc1ad9ece464d214abe94452bb40b8b24cf0460dd775f578ca6b83741a97183df7
-
Filesize
201B
MD57796004e174c244f84df667c434b173d
SHA12b8f8734f720256cee68a318308956fe0017166a
SHA2566d9f39503f5ea476203e1809eed56d59933ac93d0ba3e5db74b415fb31aae073
SHA512f7319aad8488d56f3dad319ad2bab04621970474d0d20850dc055746975e7a19e901765803835c5abf8c1757e887418da33c8a27f08bb52b68c56b06a910fa2a
-
Filesize
201B
MD58c2b1aba827027491fac261a6e971bbd
SHA1a33e018b392658369903a1e3452aab754d237b98
SHA2565ad3f598dec01e082430eeccde2f96fa3e2dac08a7416316a668cd106336d067
SHA51247aff350884b993dc6a59a439b0294588ceefea9af33b550846bdae2c4c85a3c5121cdad818d44762d09d1f1aad43c71929bf982196f231129fc52bc15399024
-
Filesize
201B
MD5b1c0dd7c22216a45f5ba898d35d5447d
SHA1f62e99b8c9d3568d5e4e0255c1847d7354677ad3
SHA256abc434395158b82de957b2d47b3516b5c08676a938f7a7c22dbcea42ed0e819e
SHA5129a86c21782c74db23f51da0b8d283e25cc99bb29fa801a6e3860dc5cef36d500930507391aaeacc3cd49a34f03dbea29c3809b923174ca5225a5b86f0d090839
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T868LRX9LEVGX9RRCRAE.temp
Filesize7KB
MD502bb224c2ad7218519887f5717ecd2f6
SHA1c26c788e94c61fd235894522781c79dcba2f7595
SHA256c0bdcca0abdcf3887a3c624cc54a9f15e61ca5efafa6cb4a809976332800c63b
SHA5128eb172960cce3350bb991f005e882bb6a5c631d29ea288ba2717acb1c8ca8b6ac52d859b23469b7ef8a774cfdec8f0f309385ebf690297edfdeca80faeadf5d9
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478