dcrat | 7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309

Analysis

max time kernel
142s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Size

762KB
MD5

90b452d84800d6430baba6ef4a5b965d
SHA1

d0597496e9fe52aeae9b299af9c23934b15bc1c7
SHA256

7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309
SHA512

3f805f25b6ae57fdeecb0c29275e9aab0d6cefe8e7ca162bab21b1631a1641ecd93b78fecd64a42d34baab2f34ee34e1e6bf2df30e86b15a5847c4035179ab8c
SSDEEP

12288:rkYHTs61mU1+6hH5aFJeV/3iXPrQfkXmm1RhdLB9XKynVwGQIgNa61+:rkYHTv5dIFJeVDE2a61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/2440-1-0x00000000012C0000-0x0000000001386000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0008000000016d36-23.dat	family_dcrat_v2
behavioral1/memory/2540-33-0x0000000000160000-0x0000000000226000-memory.dmp	family_dcrat_v2
behavioral1/memory/1904-44-0x0000000000050000-0x0000000000116000-memory.dmp	family_dcrat_v2
behavioral1/memory/2368-55-0x0000000000BD0000-0x0000000000C96000-memory.dmp	family_dcrat_v2
behavioral1/memory/1684-76-0x00000000000F0000-0x00000000001B6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2252-87-0x0000000000840000-0x0000000000906000-memory.dmp	family_dcrat_v2
behavioral1/memory/2636-98-0x0000000001290000-0x0000000001356000-memory.dmp	family_dcrat_v2
behavioral1/memory/1564-149-0x00000000013E0000-0x00000000014A6000-memory.dmp	family_dcrat_v2

Executes dropped EXE 16 IoCs

pid	Process
2540	audiodg.exe
1904	audiodg.exe
2368	audiodg.exe
632	audiodg.exe
1684	audiodg.exe
2252	audiodg.exe
2636	audiodg.exe
1476	audiodg.exe
1264	audiodg.exe
2788	audiodg.exe
2420	audiodg.exe
1564	audiodg.exe
2924	audiodg.exe
1988	audiodg.exe
2384	audiodg.exe
3016	audiodg.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\0a1fd5f707cd16	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\42af1c969fbb7b	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\dwm.exe	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
824	PING.EXE
2256	PING.EXE
824	PING.EXE
2680	PING.EXE
1620	PING.EXE
2364	PING.EXE
2848	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2848	PING.EXE
824	PING.EXE
2256	PING.EXE
824	PING.EXE
2680	PING.EXE
1620	PING.EXE
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
Token: SeDebugPrivilege	2540	audiodg.exe
Token: SeDebugPrivilege	1904	audiodg.exe
Token: SeDebugPrivilege	2368	audiodg.exe
Token: SeDebugPrivilege	632	audiodg.exe
Token: SeDebugPrivilege	1684	audiodg.exe
Token: SeDebugPrivilege	2252	audiodg.exe
Token: SeDebugPrivilege	2636	audiodg.exe
Token: SeDebugPrivilege	1476	audiodg.exe
Token: SeDebugPrivilege	1264	audiodg.exe
Token: SeDebugPrivilege	2788	audiodg.exe
Token: SeDebugPrivilege	2420	audiodg.exe
Token: SeDebugPrivilege	1564	audiodg.exe
Token: SeDebugPrivilege	2924	audiodg.exe
Token: SeDebugPrivilege	1988	audiodg.exe
Token: SeDebugPrivilege	2384	audiodg.exe
Token: SeDebugPrivilege	3016	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1988	2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe	30
PID 2440 wrote to memory of 1988	2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe	30
PID 2440 wrote to memory of 1988	2440	7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe	30
PID 1988 wrote to memory of 2568	1988	cmd.exe	32
PID 1988 wrote to memory of 2568	1988	cmd.exe	32
PID 1988 wrote to memory of 2568	1988	cmd.exe	32
PID 1988 wrote to memory of 2720	1988	cmd.exe	33
PID 1988 wrote to memory of 2720	1988	cmd.exe	33
PID 1988 wrote to memory of 2720	1988	cmd.exe	33
PID 1988 wrote to memory of 2540	1988	cmd.exe	34
PID 1988 wrote to memory of 2540	1988	cmd.exe	34
PID 1988 wrote to memory of 2540	1988	cmd.exe	34
PID 2540 wrote to memory of 3064	2540	audiodg.exe	36
PID 2540 wrote to memory of 3064	2540	audiodg.exe	36
PID 2540 wrote to memory of 3064	2540	audiodg.exe	36
PID 3064 wrote to memory of 2096	3064	cmd.exe	38
PID 3064 wrote to memory of 2096	3064	cmd.exe	38
PID 3064 wrote to memory of 2096	3064	cmd.exe	38
PID 3064 wrote to memory of 1776	3064	cmd.exe	39
PID 3064 wrote to memory of 1776	3064	cmd.exe	39
PID 3064 wrote to memory of 1776	3064	cmd.exe	39
PID 3064 wrote to memory of 1904	3064	cmd.exe	40
PID 3064 wrote to memory of 1904	3064	cmd.exe	40
PID 3064 wrote to memory of 1904	3064	cmd.exe	40
PID 1904 wrote to memory of 2448	1904	audiodg.exe	41
PID 1904 wrote to memory of 2448	1904	audiodg.exe	41
PID 1904 wrote to memory of 2448	1904	audiodg.exe	41
PID 2448 wrote to memory of 1140	2448	cmd.exe	43
PID 2448 wrote to memory of 1140	2448	cmd.exe	43
PID 2448 wrote to memory of 1140	2448	cmd.exe	43
PID 2448 wrote to memory of 2848	2448	cmd.exe	44
PID 2448 wrote to memory of 2848	2448	cmd.exe	44
PID 2448 wrote to memory of 2848	2448	cmd.exe	44
PID 2448 wrote to memory of 2368	2448	cmd.exe	45
PID 2448 wrote to memory of 2368	2448	cmd.exe	45
PID 2448 wrote to memory of 2368	2448	cmd.exe	45
PID 2368 wrote to memory of 2224	2368	audiodg.exe	46
PID 2368 wrote to memory of 2224	2368	audiodg.exe	46
PID 2368 wrote to memory of 2224	2368	audiodg.exe	46
PID 2224 wrote to memory of 2140	2224	cmd.exe	48
PID 2224 wrote to memory of 2140	2224	cmd.exe	48
PID 2224 wrote to memory of 2140	2224	cmd.exe	48
PID 2224 wrote to memory of 2156	2224	cmd.exe	49
PID 2224 wrote to memory of 2156	2224	cmd.exe	49
PID 2224 wrote to memory of 2156	2224	cmd.exe	49
PID 2224 wrote to memory of 632	2224	cmd.exe	51
PID 2224 wrote to memory of 632	2224	cmd.exe	51
PID 2224 wrote to memory of 632	2224	cmd.exe	51
PID 632 wrote to memory of 976	632	audiodg.exe	52
PID 632 wrote to memory of 976	632	audiodg.exe	52
PID 632 wrote to memory of 976	632	audiodg.exe	52
PID 976 wrote to memory of 1492	976	cmd.exe	54
PID 976 wrote to memory of 1492	976	cmd.exe	54
PID 976 wrote to memory of 1492	976	cmd.exe	54
PID 976 wrote to memory of 824	976	cmd.exe	55
PID 976 wrote to memory of 824	976	cmd.exe	55
PID 976 wrote to memory of 824	976	cmd.exe	55
PID 976 wrote to memory of 1684	976	cmd.exe	56
PID 976 wrote to memory of 1684	976	cmd.exe	56
PID 976 wrote to memory of 1684	976	cmd.exe	56
PID 1684 wrote to memory of 2984	1684	audiodg.exe	57
PID 1684 wrote to memory of 2984	1684	audiodg.exe	57
PID 1684 wrote to memory of 2984	1684	audiodg.exe	57
PID 2984 wrote to memory of 1460	2984	cmd.exe	59

C:\Users\Admin\AppData\Local\Temp\7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe
"C:\Users\Admin\AppData\Local\Temp\7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HFyfgOopjF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2568
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
    "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2096
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1776
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DNHOnF8KXH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat"
        14⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2192
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat"
        16⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3036
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1NLBXx3L0q.bat"
        18⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat"
        20⤵
        
        PID:1844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2960
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        22⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2060
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rbsopX3YR7.bat"
        24⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:824
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat"
        26⤵
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2520
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Y35xjzddj.bat"
        28⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat"
        30⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat"
        32⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8QxsqD9vmb.bat"
        34⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\audiodg.exe

Filesize
762KB

MD5
90b452d84800d6430baba6ef4a5b965d

SHA1
d0597496e9fe52aeae9b299af9c23934b15bc1c7

SHA256
7dd81613aae4d5f9046abccef050357e6ce1066e10a1b1b98de231dcded90309

SHA512
3f805f25b6ae57fdeecb0c29275e9aab0d6cefe8e7ca162bab21b1631a1641ecd93b78fecd64a42d34baab2f34ee34e1e6bf2df30e86b15a5847c4035179ab8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1NLBXx3L0q.bat

Filesize
241B

MD5
816d9b16735ab505cd26fe933c1731f1

SHA1
74f46601b7584d091777c4166337f0f7910abeca

SHA256
f55a3473fc3f293980e8fb060800e8875f08e185647f4fae285ff25291f79369

SHA512
15dd67ff209bb748b8f163693572d99b478dfff0381fcc389d4371eb5b627cdd575e93f659dfd98b1daf2763549e2bd8d0ff2fb60c717427be9384a07d36bb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8QxsqD9vmb.bat

Filesize
193B

MD5
c06b535066d0d3679c701496462fc11b

SHA1
34d3b8865f435390b35345b589c26b500af91875

SHA256
768a86e35898e04cbe0a4776b09e768665852827d19d0882dcf20b2294beab87

SHA512
5c18e7a6120b004a9edee064d47a9b8db079e953a492300d6d5b3436a395cacffebdc3dfda303b010484369e20bd559373c4f28b2f6682b5a30f3a59091479eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Y35xjzddj.bat

Filesize
241B

MD5
7ab5e217c29b5cb9eeefa54524711137

SHA1
061a282f98691f85dbc3f0827bfc9a724f8dd430

SHA256
f7c24296cce6ffecd32d4fb9b8353b230713629c541a855510a4c9d80c8c9923

SHA512
06f1500092df694b124a2743d48ec69c435b442214dabc08866392a957667acadcd33a0dd8a2ab0ec1692e63044213a0eb9a64517fc451b2577a307188afac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNHOnF8KXH.bat

Filesize
193B

MD5
103d5ac63eefc8ed7a222781fb4f80bf

SHA1
c237346d34d2bc5e5881ec9ef5925aeb50d41c9a

SHA256
76ee8955532aced2da5065dd402067670151ca7bdd274e892eb613dce1293e5b

SHA512
033d396b63bc17b32dcb5621636955ae18e3803172f8cef10043a2a6826b3695cd2da8b2f67b333a928f259770726699ad3d0137daa1ff85b19a4738a53eb8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFyfgOopjF.bat

Filesize
241B

MD5
0eca23cf6caee3d6acd0d29ee8dadbd0

SHA1
3db60c9d90bf58c8cf7f2264ca0f7d2e8b0d5683

SHA256
412c34750d6b66c4408c011063ba1009b80f7a837f202449e84488d07dddf497

SHA512
408755f269de28fa3c105aed71afa8ef6a5b9b6c8f4e7ae5369cae43056619c57916cb4bb8cf0f73623e131211b4016caaca5f5f93ab42d4f04919f2100e6b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat

Filesize
241B

MD5
7ad5c82b62366f3e4e698d0a49626dfe

SHA1
6cab5802f11511bd9110d687f4e29acc8db946b0

SHA256
c3eddf33d74f6f9fb22a2b23859b2322b24e5ee99edcaad9c5489b9225bae0bb

SHA512
4fe55c681843e7c3b5c269e072be62593772a7ec6df3f32c8cdda7226cec46651c550760e950a0ef9481eda71c2824bd0b120ba40e3c3edfdfc27cfaf8a7fc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

Filesize
193B

MD5
d33470b39bcf841f0bc6efdf735685bf

SHA1
1de50f0f3d1187aa58ac03cfc1669ce820fee213

SHA256
8fd861f4dc4e357b2c69f290f1d0cdf57b71046e6381e7c8435642658e034baf

SHA512
d6a0376ca2c6b8b02c617ab9d089eccb60c1df3a75e9d687584373c256e9ad9f54429e4913998ed781dae76d646bc2ad1b0f35f9dc0edd5c48df01c565121e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat

Filesize
193B

MD5
8cb7681298fd2b3528e0f1967b36a597

SHA1
fce128eb2fe0a231545bffc6743ece9d2d43b05d

SHA256
dec594964e576e8603b8f72e74094d984253aa95802f6f3339593887374ba475

SHA512
bb8bb7a1d4add98a572405bea44a71f672aa5961fc06661bd6cc11ace2605a64986e25b398315d05d8dc58a0685ac3a50d89de995e8e9afea04e60ae2a77c33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat

Filesize
193B

MD5
cb297bebac92ee65bd469e76d027903c

SHA1
497ce1dc3e0183edccc92a1b15ec9e8acceb5fee

SHA256
b5d38fa1a685d9f065185e4ac67c7fb913f9969384bb9d826d0446f71fb79325

SHA512
fe27f6a437382d04d225514b862c0e1eef7f42b9c8e86edee9b6ee22e044fb20499c2e5271b8fb201cb7d0718bdbaabe0d5a97f2342136a651aba73b1216838d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat

Filesize
193B

MD5
684e59fe5c048568997193a5ff660cfb

SHA1
c9f6a420a8dcc5232344165082939340e282125d

SHA256
24b334b59d1d1eb71dac8e3803af50abd4af4796423bf8deeb6f96390531bd3b

SHA512
557c1e8807c20fcb7894cef877a77b9602321636bf94f7a25cf34072db4c914ec0ecbf43166251956c189d3471bb4123fea8ede6df074ee58d232ba5eb0ab9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat

Filesize
241B

MD5
c8eb6a80ef2cca7b3900beb99d727fd4

SHA1
bb3dea19ca8572f147f3894007b3aff7db26e541

SHA256
cf189ec93d06c5f836cdfce392a10c23bd0edb0669680c36a5326f8b5d2e511c

SHA512
3282a907e096453ddcb746d7c98eddc67b13d9281615ea271215a9cedd33ce9f48076ff195fb3de6317869054428c7707ef89cb466fec999717e511d5309370a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
241B

MD5
a32859cfe056db8d79fbecff46b26168

SHA1
c52d37e2113f85d0992177c3916202f66c4644bc

SHA256
72f5bff0fc4adfe185e4502c5eb0503be8378908f9937501c92e2cf61d07b6f9

SHA512
8e442a573a103dfdf27e4d4b54df72f643fc48ebab54db37554bad485d445fc3715a2db298a278f09fcd8a6203a09b1f0ecf40e4fd22c5acae524e5f82b332e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat

Filesize
241B

MD5
8f0578de92bbbe3d25f5a93194c47437

SHA1
0f29f36b2002fab90e0f32e2816dcc104721be28

SHA256
c5c9b0432598cfae86ed09a4ce73b26929371b8448868d93bff4b11075935a9b

SHA512
fd9ebb3c8b82bcdd84546168ea85d71cfef7ec668066aeca2e12c42ab6d72fade467fe07bc9cc76bf283e0799fe59dc4111942c1af9952091da3ba11a500bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat

Filesize
241B

MD5
99603d732828b6c58c66cf4ef56eb45d

SHA1
60eae0df0b147d7014ad2bd16297d442703fcc56

SHA256
ccb7c93f4ea369aeb4c622b8ae633b952f81d86472ae6b398cf5d86afb35ce38

SHA512
ee57d70509ae63b160a2566f0ab46ab7d9808fac5239cccc5e20a451b283170190c9d90ef90743996ab523ff84d8c429e4d625012691e0ac96a019ac337a21eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbsopX3YR7.bat

Filesize
193B

MD5
d1ec2548f49248a8fd571f1e661b8c9a

SHA1
cce869e5fd42b0f494b64ff5a2adaa671a21204f

SHA256
921a9cc998c02cf7a2c36bfce5c4f77a7d33ee2c4ae08e54a11fddc184df215c

SHA512
c22243cc968becf32b2c31713a61465465fcb9ef9c8fb0ead7f5c026968fcbc0048dda7c8d423fc05b3c0dc7603dcab26ba16d893a5a10a879c3154ffa3667c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat

Filesize
241B

MD5
c0a3564388de8ff47cd9218365af501f

SHA1
4d6f5480bd702ffff9f699ad7c6a63c849976d80

SHA256
15979c57ea55cc0fac3855a72017f055bdcec0171be7ea8bb8bbf4403ecbfc1c

SHA512
710cb44cba0c7be1da7427cd3e530ba01176b9451ed4636a9bbf73d5d9cf3721bb117fac8d849d7474355fc8144f52a954a44c0bb8d098192908bd012269cb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat

Filesize
241B

MD5
f58a0f86b3f03d6572a54bf765f5967d

SHA1
2d37a5f3c7b5c943dc2fad664e86a2c19d334727

SHA256
d5815c4687308908d208f7e32bd3cb80607513eade9a8d7dc242ddca0b143729

SHA512
bfeb60b528dfd006be0f559eb4bde614e065901208cfb74cd36eaa964ebf8d54b26ec3cd4224d208950b3e0c130f7998850c9b61a11edaba32f12a55fd1d82b5

Download Submit
memory/1564-149-0x00000000013E0000-0x00000000014A6000-memory.dmp

Filesize
792KB

Download
memory/1684-76-0x00000000000F0000-0x00000000001B6000-memory.dmp

Filesize
792KB

Download
memory/1904-44-0x0000000000050000-0x0000000000116000-memory.dmp

Filesize
792KB

Download
memory/2252-87-0x0000000000840000-0x0000000000906000-memory.dmp

Filesize
792KB

Download
memory/2368-55-0x0000000000BD0000-0x0000000000C96000-memory.dmp

Filesize
792KB

Download
memory/2440-14-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-1-0x00000000012C0000-0x0000000001386000-memory.dmp

Filesize
792KB

Download
memory/2440-29-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-21-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-19-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-10-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2440-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2440-11-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-8-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/2440-6-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/2440-4-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2540-33-0x0000000000160000-0x0000000000226000-memory.dmp

Filesize
792KB

Download
memory/2636-98-0x0000000001290000-0x0000000001356000-memory.dmp

Filesize
792KB

Download