Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 23:31

General

  • Target

    JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe

  • Size

    1.3MB

  • MD5

    3b38854c884bcd21a33c191ca861ef5b

  • SHA1

    ce9e05479f0c5ddbc6afd3b90d384bab5a677545

  • SHA256

    deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5

  • SHA512

    73ce9436ee90fbb79ec76d20cd54b4db22b9578796baada1645bcaf591071a0d65c4ed497b46f4d8346124c035c3e8edc44538f36e7375052d0bd82345bd45b9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deb4ea300fdb7e3a964ca20cc1992f87ab20a24be96e7c16c605a82ed70f3bb5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
            "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1108
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2148
                • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                  "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2888
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:876
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2688
                      • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2280
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:552
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:688
                            • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                              "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:292
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
                                12⤵
                                  PID:2364
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2468
                                    • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1620
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
                                        14⤵
                                          PID:912
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:1580
                                            • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                              "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1748
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
                                                16⤵
                                                  PID:1860
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:1000
                                                    • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                                      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2040
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
                                                        18⤵
                                                          PID:1448
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2100
                                                            • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                                              "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1520
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
                                                                20⤵
                                                                  PID:2156
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:2076
                                                                    • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                                                      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1052
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
                                                                        22⤵
                                                                          PID:2240
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:1656
                                                                            • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                                                              "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1532
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
                                                                                24⤵
                                                                                  PID:2804
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:2708
                                                                                    • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
                                                                                      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2828
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:532
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:772
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1560
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1216
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2612
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2208
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2104
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1584
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2820
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1852
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2108
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1148
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2040
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1996
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1880
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2764
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1756
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1720

                                    Network

                                    • flag-us
                                      DNS
                                      raw.githubusercontent.com
                                      audiodg.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      raw.githubusercontent.com
                                      IN A
                                      Response
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.108.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.111.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.110.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.109.133
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      741 B
                                      4.1kB
                                      9
                                      10
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      741 B
                                      4.1kB
                                      9
                                      10
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      793 B
                                      4.2kB
                                      10
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      695 B
                                      4.1kB
                                      8
                                      10
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      747 B
                                      4.2kB
                                      9
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      747 B
                                      4.2kB
                                      9
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      747 B
                                      4.2kB
                                      9
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      747 B
                                      4.2kB
                                      9
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      747 B
                                      4.2kB
                                      9
                                      11
                                    • 185.199.108.133:443
                                      raw.githubusercontent.com
                                      tls
                                      audiodg.exe
                                      793 B
                                      4.2kB
                                      10
                                      11
                                    • 8.8.8.8:53
                                      raw.githubusercontent.com
                                      dns
                                      audiodg.exe
                                      71 B
                                      135 B
                                      1
                                      1

                                      DNS Request

                                      raw.githubusercontent.com

                                      DNS Response

                                      185.199.108.133
                                      185.199.111.133
                                      185.199.110.133
                                      185.199.109.133

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      eaba572f1868d0e745116a9362512a4b

                                      SHA1

                                      da5321b787b6b5a6d5761f53283d541af92a5d45

                                      SHA256

                                      005ea2ac2df8fdbe0a46cb51e33b294921807b5a16ba34050e94210360d0468f

                                      SHA512

                                      53fc2b70066fcce2ee5bf04557e28d8906e679d1330dcaa9cd7f98a25e9d07bec376ffc80ec6fa0a15c311357a2362a7c6f869e8d405e568aab67ac68641d547

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      14c1fff932873d8c4ec7448e0d79b4e0

                                      SHA1

                                      0e9b61762f1fd3d7da0221b224cf99646ebf9845

                                      SHA256

                                      0487b079f3565ae4097792b35b1d3bd759c06e716f5f18b791df02e9bd0dff78

                                      SHA512

                                      c2402a878d7ae816216a1d81328ec1e0712cb2d31819a92627240def935d94fb84b01643e3abaaffc1f87a39dffd62cd78e0fb7db4d754849ff9a5f42058d18d

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      e34be77d743e5c7b87b77f17dd2bf00e

                                      SHA1

                                      9a26a083191ead4d6fd5d6d653fb0a9f5a1b5913

                                      SHA256

                                      0c384c97581ac0a04c954bf70a6e26a24727054f1281af2f0a160ce92d191318

                                      SHA512

                                      0e091a236e85b5a0645a06a42811620e6f2ec92de48e4bbf182340186302b112e5b16b07c50754e1f01b4257cafed4777d4769c9f9ebb7554ec9c4130b5807d0

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      6671bcea7342776a05c0072563655473

                                      SHA1

                                      43c4ceabe6e3d8e7d6f1cfcb31855fab72124a37

                                      SHA256

                                      fb96c3a02e98a14d8b9b0b4724469c78deb8647302e8d6dfafdc252298d81117

                                      SHA512

                                      23214db3ca67ec4d06de88c9b06d4b3121d5e6033d026c5eb63d33303b0a500d85e9c46f5ed8e9deb280e37c2aefa35576d972075a7d34623cb4becd0fc0ab53

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      443c01fbe8528a007a1abe29bcb9ff47

                                      SHA1

                                      a0c8bf5c9742f3bc18180ff70e3433abd31d7a63

                                      SHA256

                                      07190fc82eb3592e45d9e32a6d6ec33cbe1860b22f9078da403cfe06b862d659

                                      SHA512

                                      8f981529c76864874b01225d760a675d89ef596cabede9ef065f8a018106f3a4d8c0421e902e18a04ce3615f28b70ecb3a745669f8b5922241984fab96611ee7

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      be570c79a937e027006599f57ae59467

                                      SHA1

                                      f9ce965634fdf3c0e45982b23eb95a2ba9b20bea

                                      SHA256

                                      51d7d1da58c1bf4efaeebffe3129ad6a103bbfc2535897df3113ed7a8cac55ca

                                      SHA512

                                      f32a0debb98a11b03de356e3cf8df4933b84637dc4f83df7a805b697b51d1d2d1473a7de8b3b25f0880ec2a3e2e0190e0f1693951608d4e128759ea362ddd81e

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      3ab392131668032a8e287a7dcbc39633

                                      SHA1

                                      80a9a45d358e9562b8236d41333c4b8c4dc72dc0

                                      SHA256

                                      287db7ceefcaadd5832f406ac9bc32d2b3bd5967a24a898b9824e9fdc29c1f46

                                      SHA512

                                      076bcd306885edf119535272489b8170fe7ac42fa2aa10233c7d10137f6a5a7946f240f648c36cd8fd4a2d235214c78c511a04ed25115c915745ab59c775f2ab

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      4b59ddfd6178f442f4209d172a485ea0

                                      SHA1

                                      5be17719e889fae77eb3fb5ec4299c70a8542a1f

                                      SHA256

                                      5c5f318ce6df15556fd552fc50a2ff157d83b8ff30d22dcd4bc764dc912e49ee

                                      SHA512

                                      04c45cb15088597228f705fa095d12981d713df14fd6fea4f629f6dc71a2ceab2cfb6a8c6ecd273c012eddc7f26fe52ef8d6e95de2731aea2a713cc481872cc5

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      08035b57a1be16e2c0471bdf071bee08

                                      SHA1

                                      0b5a8fa7aa75dc83d12946b89ac2804af493a3cf

                                      SHA256

                                      7a4cff50ef3f8c4277f1fd3d36738ab4e53e20c641e9e96013e3a68cc588f5ab

                                      SHA512

                                      20a6cae3cf2ed4c0c4164e0e99ea949149ca3cb6ad3f6f668ef295e769c904cc5080677e057dbe03e68632d7764601cf63ab85f94121d49f35bebe994742de97

                                    • C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

                                      Filesize

                                      225B

                                      MD5

                                      d5e64f66b99dd8df35f369181d7ad2a8

                                      SHA1

                                      e0e56a7bc30218a7831f8d4af531d729cd889179

                                      SHA256

                                      b601a9e79cde9d29a167b86501b7d82b45e66a781f971ff0f2b097bde1e6bd53

                                      SHA512

                                      2d86f85da8d9fbf0d84bb5f10fbc2b47d7cd5b121f0f1b98e06c7c21c813a0636ad686c75d8c25935d48bc62e28210ad8d55a9d2b3e0614a9d3e1a62c5f767d9

                                    • C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat

                                      Filesize

                                      225B

                                      MD5

                                      6b3f4bfd4960815f474f9006255c283c

                                      SHA1

                                      f9044745ba8201f21685223c45aa2e33e995039e

                                      SHA256

                                      718bdd16968cc3b0bc116f9b08bbd663fa022c77ca84dcf1b97fb13cfa0f637a

                                      SHA512

                                      9b9335b7f3f849b637235749e53345ed535ee3d9ff58a2c449d7517d70e780df0a5bbe2ae4698a3d8b57d84d54f705413a18f7ad10e634ada54f0b88bdfbfb07

                                    • C:\Users\Admin\AppData\Local\Temp\CabB3C7.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

                                      Filesize

                                      225B

                                      MD5

                                      e9eb103fd9f8b7cb6f93b0369bd045aa

                                      SHA1

                                      b7cb174f9e59863376e0ef78ffbe27005d3e5e22

                                      SHA256

                                      7ebf390695445d8b0198407a7a315037685047da183181611d45cea90e555455

                                      SHA512

                                      5b610f980b879054e3dc5037e8b4ed306db57fb1201cac785be234cc929aaf3a4a5aa8129f346f84a9261d9678d367fe9351d862cc6e5d839650e99afda4eb59

                                    • C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

                                      Filesize

                                      225B

                                      MD5

                                      d0bdcde2c742b6238bd9ecc60f0f6896

                                      SHA1

                                      dd974cadf760f057e3b2b7c5bdc109a6b1b8a08b

                                      SHA256

                                      4ba4fe169cb6e06126c6874b14d3984ce0148c581da92248e4d0c92400f7cc94

                                      SHA512

                                      9b8bcefeeae5faa3c96ba08d36344d4453d7339d3a044b6494b0c4d1b0052c1097c44428a3e4077040cbfedfaee69451b938ceae812ea2fb05e21f11a93408db

                                    • C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

                                      Filesize

                                      225B

                                      MD5

                                      a5d53b2eb942f402a0b487ae74486326

                                      SHA1

                                      bef362c7f58624823893fcaf4d52d8df84b1baea

                                      SHA256

                                      1be4615870c82435ea601d73ac05711d598935dddc726ecbc948227c419b5db3

                                      SHA512

                                      765206027d98b37b8ea51970ee9479f6debea58dfbe4daf9311d786576d539dc7e8f0f917b6f0012ecac33b9e6d2dc65ad612d033cb7415ddd94a425131ed2db

                                    • C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

                                      Filesize

                                      225B

                                      MD5

                                      5b3d19c7639c923ce7ccc0631bcc2692

                                      SHA1

                                      a7c2e04f2f65b0d0a1fe7327fe600fe451e86c40

                                      SHA256

                                      90de36f3c13a91b154fcff5bf1c26e758f25f01ea9a56195da8043144ac44405

                                      SHA512

                                      d7ed3d44c14e821e758339ace146d7079d2270a38f93a5aa437a2eb5e3ca1e42057bc039fefe64fe108f242cb781984b0e903744d9bac282a345d98819bf0f3c

                                    • C:\Users\Admin\AppData\Local\Temp\TarB3CA.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

                                      Filesize

                                      225B

                                      MD5

                                      8108138886f15e7cd9734b2fd4da4995

                                      SHA1

                                      18e6d8375f3b2ae400ea3b3d3bad51250d57a276

                                      SHA256

                                      4e4d3e134685976c78c2589276669271d00ef93c4455725dcc4638f5c929748c

                                      SHA512

                                      c551595030b8d535ff207b7d86a1283e73f02a6a72560ef2817ad959af3496977fb2e33f3d66a8eeef77da4e33a9186b0baf03c4b07b818a0c76595445f7f604

                                    • C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

                                      Filesize

                                      225B

                                      MD5

                                      c78d148f17c51dc72497baac67b9b0bc

                                      SHA1

                                      8e5247edfee22c3c59137201d7c9bf17cc842d3c

                                      SHA256

                                      cceabeacbcfacc9f337a605b2bcea36facf960c301d18e00db83ff0814c93594

                                      SHA512

                                      3b34654d8a337208219e31cfacb360a4189fa0d4270cfa6f8f9e189af30fc0aa33623c6f0a2ba4cc3b76d35c8b675f2c81ded0c6af44aa4c773d0744f18087d6

                                    • C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

                                      Filesize

                                      225B

                                      MD5

                                      a9683e00ddc0cd212f690d4099bbcad5

                                      SHA1

                                      89d9ae77114ab586cf70eea201b070d227e620e1

                                      SHA256

                                      4679c179db3524587c88b0f8ecbac4788f9384a7a24b1f65769476f5ea6c860e

                                      SHA512

                                      24dcfeaae14b3370270b284885e0e765d55a1a6b79f02e504c0f7bfcb53c254c0cd0bdab636f4f5c330cd0568fb4ab6cc69676e98a28b160d69d571ec3083c48

                                    • C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

                                      Filesize

                                      225B

                                      MD5

                                      5520abe4c3a9f5c052a491104c15b244

                                      SHA1

                                      09de58f9f24ceb08ffc06ab9736d7caff7a89373

                                      SHA256

                                      f67893efd1f71f3b875b056d671e362fd585b0d30df57e09051d6dbef430c6cc

                                      SHA512

                                      02ee930e5c3c187f9a00b143958f811d505299e97ff804108d4c67c4540fd2a0f26de7b4839ed83088087acc3dc782b58d72c61748c07ffe74d10cb1da6f646d

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DBWE7N58891RPDGLWTF7.temp

                                      Filesize

                                      7KB

                                      MD5

                                      213888529696536d33a80b6d57c28173

                                      SHA1

                                      90d59f38970ec03bbff53949923f0996725c6c8e

                                      SHA256

                                      cab86cab3a0c404b5ce1b3ef44b60c52ff2518d6b4a3e92e54c4b4c01d747d23

                                      SHA512

                                      5a56e80221852d6b5b32426679761b98c2bccfb015049afa22605b846f48007863dfec824f8b355fd5c7c9a1133327bcdca1e5e0c99dec2ac35bab8ce89d5027

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/292-253-0x0000000000120000-0x0000000000230000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1012-14-0x000000001A600000-0x000000001A612000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1012-17-0x000000001A630000-0x000000001A63C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1012-13-0x0000000000A00000-0x0000000000B10000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1012-15-0x000000001A610000-0x000000001A61C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1012-16-0x000000001A620000-0x000000001A62C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/1520-493-0x00000000011B0000-0x00000000012C0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1532-612-0x0000000000150000-0x0000000000162000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1620-313-0x0000000000200000-0x0000000000310000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1684-61-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1748-374-0x0000000000240000-0x0000000000252000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1748-373-0x0000000000B70000-0x0000000000C80000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2144-55-0x000000001B730000-0x000000001BA12000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2280-193-0x0000000000550000-0x0000000000562000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2280-192-0x00000000009E0000-0x0000000000AF0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2828-672-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2888-131-0x0000000000370000-0x0000000000480000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2888-132-0x0000000000330000-0x0000000000342000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2960-67-0x00000000021C0000-0x00000000021C8000-memory.dmp

                                      Filesize

                                      32KB

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.