Analysis
-
max time kernel
143s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:00
Behavioral task
behavioral1
Sample
JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe
-
Size
1.3MB
-
MD5
5cb74f0bef786ab2de98f621ab57944c
-
SHA1
ff105758cbd8886db6e5da721946da07240ea233
-
SHA256
21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186
-
SHA512
1731985b82a8b4e53038b19e95c1ac9887be4855b10b5c8c8370018ccfe54a583086527c62adeb62e9e81952a7f28a64a786b3f4f90f85bb7f2420f52a69c6f7
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 288 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2596 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2596 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016890-12.dat dcrat behavioral1/memory/2672-13-0x0000000000890000-0x00000000009A0000-memory.dmp dcrat behavioral1/memory/1744-81-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2268-140-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2164-200-0x0000000000A10000-0x0000000000B20000-memory.dmp dcrat behavioral1/memory/2100-260-0x0000000001260000-0x0000000001370000-memory.dmp dcrat behavioral1/memory/2668-558-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2192-618-0x0000000000250000-0x0000000000360000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 448 powershell.exe 1084 powershell.exe 1256 powershell.exe 1160 powershell.exe 2080 powershell.exe 2044 powershell.exe 2112 powershell.exe 2416 powershell.exe 2236 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2672 DllCommonsvc.exe 1744 dllhost.exe 2268 dllhost.exe 2164 dllhost.exe 2100 dllhost.exe 2564 dllhost.exe 2040 dllhost.exe 2672 dllhost.exe 2360 dllhost.exe 2668 dllhost.exe 2192 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2392 cmd.exe 2392 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 4 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jre7\bin\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\bin\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logs\HomeGroup\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2196 schtasks.exe 2888 schtasks.exe 288 schtasks.exe 680 schtasks.exe 2744 schtasks.exe 2012 schtasks.exe 2972 schtasks.exe 2908 schtasks.exe 3044 schtasks.exe 2444 schtasks.exe 2440 schtasks.exe 1636 schtasks.exe 2448 schtasks.exe 1036 schtasks.exe 2820 schtasks.exe 2620 schtasks.exe 536 schtasks.exe 2268 schtasks.exe 3028 schtasks.exe 2120 schtasks.exe 1640 schtasks.exe 2872 schtasks.exe 1764 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2112 powershell.exe 2416 powershell.exe 1084 powershell.exe 1256 powershell.exe 1160 powershell.exe 2044 powershell.exe 2080 powershell.exe 448 powershell.exe 2236 powershell.exe 1744 dllhost.exe 2268 dllhost.exe 2164 dllhost.exe 2100 dllhost.exe 2564 dllhost.exe 2040 dllhost.exe 2672 dllhost.exe 2360 dllhost.exe 2668 dllhost.exe 2192 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2672 DllCommonsvc.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 1744 dllhost.exe Token: SeDebugPrivilege 2268 dllhost.exe Token: SeDebugPrivilege 2164 dllhost.exe Token: SeDebugPrivilege 2100 dllhost.exe Token: SeDebugPrivilege 2564 dllhost.exe Token: SeDebugPrivilege 2040 dllhost.exe Token: SeDebugPrivilege 2672 dllhost.exe Token: SeDebugPrivilege 2360 dllhost.exe Token: SeDebugPrivilege 2668 dllhost.exe Token: SeDebugPrivilege 2192 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2784 2188 JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe 30 PID 2188 wrote to memory of 2784 2188 JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe 30 PID 2188 wrote to memory of 2784 2188 JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe 30 PID 2188 wrote to memory of 2784 2188 JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe 30 PID 2784 wrote to memory of 2392 2784 WScript.exe 31 PID 2784 wrote to memory of 2392 2784 WScript.exe 31 PID 2784 wrote to memory of 2392 2784 WScript.exe 31 PID 2784 wrote to memory of 2392 2784 WScript.exe 31 PID 2392 wrote to memory of 2672 2392 cmd.exe 33 PID 2392 wrote to memory of 2672 2392 cmd.exe 33 PID 2392 wrote to memory of 2672 2392 cmd.exe 33 PID 2392 wrote to memory of 2672 2392 cmd.exe 33 PID 2672 wrote to memory of 1256 2672 DllCommonsvc.exe 59 PID 2672 wrote to memory of 1256 2672 DllCommonsvc.exe 59 PID 2672 wrote to memory of 1256 2672 DllCommonsvc.exe 59 PID 2672 wrote to memory of 2416 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 2416 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 2416 2672 DllCommonsvc.exe 60 PID 2672 wrote to memory of 1160 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 1160 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 1160 2672 DllCommonsvc.exe 61 PID 2672 wrote to memory of 2236 2672 DllCommonsvc.exe 62 PID 2672 wrote to memory of 2236 2672 DllCommonsvc.exe 62 PID 2672 wrote to memory of 2236 2672 DllCommonsvc.exe 62 PID 2672 wrote to memory of 2080 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 2080 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 2080 2672 DllCommonsvc.exe 63 PID 2672 wrote to memory of 2044 2672 DllCommonsvc.exe 64 PID 2672 wrote to memory of 2044 2672 DllCommonsvc.exe 64 PID 2672 wrote to memory of 2044 2672 DllCommonsvc.exe 64 PID 2672 wrote to memory of 2112 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 2112 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 2112 2672 DllCommonsvc.exe 65 PID 2672 wrote to memory of 448 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 448 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 448 2672 DllCommonsvc.exe 66 PID 2672 wrote to memory of 1084 2672 DllCommonsvc.exe 67 PID 2672 wrote to memory of 1084 2672 DllCommonsvc.exe 67 PID 2672 wrote to memory of 1084 2672 DllCommonsvc.exe 67 PID 2672 wrote to memory of 884 2672 DllCommonsvc.exe 77 PID 2672 wrote to memory of 884 2672 DllCommonsvc.exe 77 PID 2672 wrote to memory of 884 2672 DllCommonsvc.exe 77 PID 884 wrote to memory of 2244 884 cmd.exe 79 PID 884 wrote to memory of 2244 884 cmd.exe 79 PID 884 wrote to memory of 2244 884 cmd.exe 79 PID 884 wrote to memory of 1744 884 cmd.exe 80 PID 884 wrote to memory of 1744 884 cmd.exe 80 PID 884 wrote to memory of 1744 884 cmd.exe 80 PID 1744 wrote to memory of 1140 1744 dllhost.exe 81 PID 1744 wrote to memory of 1140 1744 dllhost.exe 81 PID 1744 wrote to memory of 1140 1744 dllhost.exe 81 PID 1140 wrote to memory of 1632 1140 cmd.exe 83 PID 1140 wrote to memory of 1632 1140 cmd.exe 83 PID 1140 wrote to memory of 1632 1140 cmd.exe 83 PID 1140 wrote to memory of 2268 1140 cmd.exe 84 PID 1140 wrote to memory of 2268 1140 cmd.exe 84 PID 1140 wrote to memory of 2268 1140 cmd.exe 84 PID 2268 wrote to memory of 1700 2268 dllhost.exe 85 PID 2268 wrote to memory of 1700 2268 dllhost.exe 85 PID 2268 wrote to memory of 1700 2268 dllhost.exe 85 PID 1700 wrote to memory of 2188 1700 cmd.exe 87 PID 1700 wrote to memory of 2188 1700 cmd.exe 87 PID 1700 wrote to memory of 2188 1700 cmd.exe 87 PID 1700 wrote to memory of 2164 1700 cmd.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21bf8c1dac8fc08ee767355683cf189abc3448eca1b351070e843ce29e40b186.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcjBxfEQhp.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2244
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1632
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2188
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"11⤵PID:956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1776
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"13⤵PID:1040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2168
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"15⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2512
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"17⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1088
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"19⤵PID:1396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1100
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"21⤵PID:2976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1964
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"23⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:448
-
-
C:\Users\All Users\Adobe\dllhost.exe"C:\Users\All Users\Adobe\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525bc55e3361291cd5ee3d9f7619325f0
SHA19fa31abafa36410db1332018f67f6f4831897d8c
SHA256b14b2aff4dc908719382112828a2cba0b0213f5015304482e83a6433304aa49a
SHA512272e95e7f9f933b2fc5b6eb2450b02473f86293d198e2eee4b5198b273732f3a15f74142a2fff2a37e1900e70da954117efdcb84f5a2fdacf2b134d933f06e47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f581306b9118abc2d4a70d76d49f03b3
SHA17c50cd8c71302f3152aafd7919046aa813dc5386
SHA256840abae1d11437d8db12649d6f9563901a9425f9c7aa47ce929d4a7c3a033f41
SHA5125e600267d9913e427255ad86e33819d9f56281456621d2c70fd60a3c620c73c7a5723d4c86f47dcd8e43ef117dbf059ccb12b6379e8ebb6b3090eef5b4a671b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7a460f5fb90776ffcdf65c9d2ce038b
SHA14c88b7bed5e3f3ea0b288c786987707912980d64
SHA2562f241f020526e05f2598b1eae6ae7e165a392735ff47d2a09d68c4b99775d4fb
SHA512ae9d2f09dfa71a97b813ee3a3f0af8900c7d71cfea3ba915efbd9877bcc12260d45749417204b4a802d008c46f6ffb21daaa4f4799fd9fab437b60eeca9aa557
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59fc99f24a51292b622a4ca371f2909b5
SHA173455d84a082fdfa30e630adee0ace31bb4b24ce
SHA256c7043d7ffdf2cfc08f206fb0cac000379a04feeeb7f5771bf29cd1d7de9258c0
SHA512aa0a10b5a2341cdd276d75f8c4155094b267656c283945c45c93acdc35f2ac2c0c3d24dacdca993cb26e013824a7c843e83953c9593bb23723c516581971fa82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd626ec88036812389990d0126d35325
SHA1fc8e60585eccaeb6b90a7d9c556559e3b848c3b4
SHA256aa5e008501913bc57b7b85aeb5ba6c5758ed4b299bcf4912231db77f1491e669
SHA5129109780d56951b12b05a4ba078f119d229c3b52a30b6c65075d01cbe69a5dd578ac989092f8c8d9de2ccea2edf4a3d75e7ff4d97eac2f742170bf2dcd9313287
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5318a596b303a3a5f865dfe6725b32869
SHA1de1013e255028df8cfafe6567a91f2c73977d82d
SHA256fab810376ff520993d16bb3a64486db83fe0f7189307b79c23661504089670f3
SHA512dbfd6eb55a4a51def1c5751fdc03df0e863b60fca03aa37cd031196419f69e57666ae4b69f9c797676416f873be54a6a7b69e4d8fe330448909d3e96b2235687
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533318861c0b069b9186c6c3f7bd58d2f
SHA1cbde8689a9473f0272a2dee49b3fab6498a0e456
SHA2564a08c10d06e12dc1e3f29fda165df11da2df4d5e1f3ec0e36e20a3cde86227ab
SHA51253d21b058ebb56854e652848090d0dba0b5e41bd272076e70f3781e5a58ab6bbb55f9b2787ccce518447dd0d69514e6627b394400272b56aeaba0a7be1348cb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584598e6371b78b89f0524c9c78ef77d1
SHA1fb5281a7e24f9847605145f75e7cd6c45a796b5d
SHA2562e6be2f7d27cf08e1e471ba67dea319ead4d5ed8a14e24c38bcce7345c2d40a3
SHA512244b4a413af1f321be77e457dad0bf0ec8912a1a4c0b213befffa54c4ec52e3be9b11bb0f5446da14c2311702a2a45484ea84e7e49f260da4f2e3a44a669d6a5
-
Filesize
201B
MD5cf921cb03089e2f20472aa803597b4d0
SHA1440e6b7896f9ec11f4dc6122360349f628cb6405
SHA2562de1b8eaeb96fcadf079c0a8e29c58a45dd779957568cd2023a33628a54d4751
SHA512910c8232d178ae7963dc0cde11783a9076d1f6ea2b9eec00fd91c8e223f45668723982843650438e83a758a49aa676b8fd8ae840ad5b1d1630ec11e1d8e2039a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
201B
MD5b44a0a65623fbd82f65b73a40db6995f
SHA1a8c68f74ca1502d535b941598f69002b82ab2893
SHA256a53e6ead26a21d46bd35fcc33bf511e6a926192d21c0e5d65023f893837506f6
SHA51205f45d38ed5e37353bf6117130953cb1305a22303afa296a68121c9eda483b7b3893564b2583049144267c8900a8ed1fa89d0f0bab43200e66ae74a1ba403a75
-
Filesize
201B
MD5eddb3cbd7821a62ec14042b0f3980b3e
SHA1a3d8a9fa4d1dc4ff0094be1838d16a9fcdc52b3b
SHA256be6db3a0497d011f3a790885e9de36bbcc36e3138fb93ccc37e2b2373a1c4842
SHA512a105e19b861c87006c79f0c5d95ff4dcdabb7e8a31055c6c1f10d591ebf4fcc9281ee78f010be66e2224258e72b83be20592ee9484abbd577af8a2ca34344d91
-
Filesize
201B
MD50d61372371f6825abe70207cdf063e59
SHA10783f391c7684e6810d2e0b9e7094a3522f57b24
SHA25624f5c6e5fca12c171d76ae236eafd897e4b327c1391a29209809e8b10071e6ae
SHA512559068d769ca7e27abd29d4430757d34575f3ca3977e35719e91bbda6a47da6d0be02f1696f1e63a2fc5e08e97c799db49f7af833aa8ee177f8d6c76e4769350
-
Filesize
201B
MD575f705f9d498406f17093e07faac76f9
SHA1237763ff29b3c3788b515bbbcbdcd851810d98cd
SHA256407d13b0eca7b77af75680a75686b4b1c90d5d5b0efe4560688e3462e55b2fac
SHA5122b533814dbb368698d043b5118c92466a7c959a270893ff97509d18cdf0e57adb2fcf551755afef077b0e2667f9971bbff29d437a924cf86f1790d90ffe624b2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
201B
MD59ddbfd368066e437beafe5f7d9ccc4c4
SHA123bb02ca48c471ba02453a1856285570dde4a607
SHA256db16ee12f5f1337dd89e8ac5362b43676f3b1529fe2fdbd288e5e3103c18a8f4
SHA512888ecea221455ccb33b83471d68136890b2c3e4bb1128491d322047fb77133d151d39087f5ac72b889780a3009290791a6f030e3f1b920a93f7c602fb3885313
-
Filesize
201B
MD5d7daf3c43d6462dcad7ec73d7d47312b
SHA1544a99bcde36ce4b69fce31e51fae18259bfb92a
SHA256428cfd78fd092e3a20417bfe169201f9d614dd396c01158e9eee79c90d2f56d2
SHA512ea0a8d0f4a35032122c57659ce163579e12eb8c7635235929489b6225fe86e01eacd065d87bc405d72d465f7d103c3f9eca866f5fce4471b7e4bdf9611e88e11
-
Filesize
201B
MD54f18c8ef221dfda703f41592259c0423
SHA18cbba39365135dfb026a6797c17d039f2fd6dbfd
SHA2562da8f25c44d5bfb2f334fc72cb31ff33c650f1da0c2d8cf4810e7c27b15da128
SHA5125fc461e8b0dee27782511da3b683c967780428c7a45e52d257e948a529de31dc1ad9ece464d214abe94452bb40b8b24cf0460dd775f578ca6b83741a97183df7
-
Filesize
201B
MD598e8d77c5b2220e40dfca7849e3b798c
SHA1d3210b2732e62fc28a3f60990a1ea720fbaf9c9c
SHA256f363c89ef209aa94c92fcce0d84b62a73b2225c1427f4d3464a66f811bfe0100
SHA51218c97c5f9587d28cfa00ee730f3d3c163d3f7090a977b3d736f6a1c3e6d0e9e66247e206f630eeb81914f292e606244d67a4875fbcb5c5e186e03fbd2e165c6f
-
Filesize
201B
MD5a2386314727a1b21abb025cb78f7784f
SHA1edce057425b9a761aecbdf0631a73bea5cc56d1a
SHA2566c45bff9723c99081ce745ff46dca0a1ec47613755c05f4aacef27927ff57b64
SHA512bbe3c509b738cd15d655cecf837e733af44a8eaf3ba458da3adfd553bf1f0f2ae090f796667a99658056c5013ea8a93c17bf5bb28f94fafa504f5e6f5b79ff47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5612ced9d2b99e118089b1204e6e5e887
SHA16c1c188016a16aa90d1d4bd29606a896464b6897
SHA2568d1ec65e107a4d6aa7f9e08fab3e5b129828bdcde3c1d221e0d371282b7b3d3a
SHA5125278588fa979076bd47f84e12efa386134a68fd17306625309ce8efee547b72d49ad7417bfc45fff7ebcb359ec2da7025500c2d8dd34d98533f4a2136ed571b3
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478