dcrat | 8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe
Size

1.3MB
MD5

9750283d483077659c89dd872680474b
SHA1

021438c2fbb0db2e05a46bda394d0be9618eebd8
SHA256

8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5
SHA512

f45629c718be88165a6d2b5d06500f3eddce858bcdcc468e4b5646323ea3e66367a1645aadc3ca8c8f0baa57f68b1c20e4719f2c79e02e6fa85e304e69e6b45c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2712	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c81-9.dat	dcrat
behavioral1/memory/2680-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/3036-30-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/3016-170-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/732-230-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1892-290-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2784-351-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
1908	powershell.exe
792	powershell.exe
528	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2680	DllCommonsvc.exe
3036	audiodg.exe
2428	audiodg.exe
3016	audiodg.exe
732	audiodg.exe
1892	audiodg.exe
2784	audiodg.exe
1984	audiodg.exe
2088	audiodg.exe
2412	audiodg.exe
2440	audiodg.exe
1784	audiodg.exe
1608	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	cmd.exe
1804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2604	schtasks.exe
2156	schtasks.exe
3024	schtasks.exe
2848	schtasks.exe
2828	schtasks.exe
2644	schtasks.exe
1240	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2680	DllCommonsvc.exe
1908	powershell.exe
792	powershell.exe
1712	powershell.exe
528	powershell.exe
3036	audiodg.exe
2428	audiodg.exe
3016	audiodg.exe
732	audiodg.exe
1892	audiodg.exe
2784	audiodg.exe
1984	audiodg.exe
2088	audiodg.exe
2412	audiodg.exe
2440	audiodg.exe
1784	audiodg.exe
1608	audiodg.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	DllCommonsvc.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	3036	audiodg.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2428	audiodg.exe
Token: SeDebugPrivilege	3016	audiodg.exe
Token: SeDebugPrivilege	732	audiodg.exe
Token: SeDebugPrivilege	1892	audiodg.exe
Token: SeDebugPrivilege	2784	audiodg.exe
Token: SeDebugPrivilege	1984	audiodg.exe
Token: SeDebugPrivilege	2088	audiodg.exe
Token: SeDebugPrivilege	2412	audiodg.exe
Token: SeDebugPrivilege	2440	audiodg.exe
Token: SeDebugPrivilege	1784	audiodg.exe
Token: SeDebugPrivilege	1608	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2060	2168	JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe	30
PID 2168 wrote to memory of 2060	2168	JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe	30
PID 2168 wrote to memory of 2060	2168	JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe	30
PID 2168 wrote to memory of 2060	2168	JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe	30
PID 2060 wrote to memory of 1804	2060	WScript.exe	31
PID 2060 wrote to memory of 1804	2060	WScript.exe	31
PID 2060 wrote to memory of 1804	2060	WScript.exe	31
PID 2060 wrote to memory of 1804	2060	WScript.exe	31
PID 1804 wrote to memory of 2680	1804	cmd.exe	33
PID 1804 wrote to memory of 2680	1804	cmd.exe	33
PID 1804 wrote to memory of 2680	1804	cmd.exe	33
PID 1804 wrote to memory of 2680	1804	cmd.exe	33
PID 2680 wrote to memory of 528	2680	DllCommonsvc.exe	44
PID 2680 wrote to memory of 528	2680	DllCommonsvc.exe	44
PID 2680 wrote to memory of 528	2680	DllCommonsvc.exe	44
PID 2680 wrote to memory of 1712	2680	DllCommonsvc.exe	45
PID 2680 wrote to memory of 1712	2680	DllCommonsvc.exe	45
PID 2680 wrote to memory of 1712	2680	DllCommonsvc.exe	45
PID 2680 wrote to memory of 1908	2680	DllCommonsvc.exe	46
PID 2680 wrote to memory of 1908	2680	DllCommonsvc.exe	46
PID 2680 wrote to memory of 1908	2680	DllCommonsvc.exe	46
PID 2680 wrote to memory of 792	2680	DllCommonsvc.exe	47
PID 2680 wrote to memory of 792	2680	DllCommonsvc.exe	47
PID 2680 wrote to memory of 792	2680	DllCommonsvc.exe	47
PID 2680 wrote to memory of 3036	2680	DllCommonsvc.exe	52
PID 2680 wrote to memory of 3036	2680	DllCommonsvc.exe	52
PID 2680 wrote to memory of 3036	2680	DllCommonsvc.exe	52
PID 3036 wrote to memory of 1740	3036	audiodg.exe	53
PID 3036 wrote to memory of 1740	3036	audiodg.exe	53
PID 3036 wrote to memory of 1740	3036	audiodg.exe	53
PID 1740 wrote to memory of 1760	1740	cmd.exe	55
PID 1740 wrote to memory of 1760	1740	cmd.exe	55
PID 1740 wrote to memory of 1760	1740	cmd.exe	55
PID 1740 wrote to memory of 2428	1740	cmd.exe	56
PID 1740 wrote to memory of 2428	1740	cmd.exe	56
PID 1740 wrote to memory of 2428	1740	cmd.exe	56
PID 2428 wrote to memory of 2624	2428	audiodg.exe	58
PID 2428 wrote to memory of 2624	2428	audiodg.exe	58
PID 2428 wrote to memory of 2624	2428	audiodg.exe	58
PID 2624 wrote to memory of 2584	2624	cmd.exe	60
PID 2624 wrote to memory of 2584	2624	cmd.exe	60
PID 2624 wrote to memory of 2584	2624	cmd.exe	60
PID 2624 wrote to memory of 3016	2624	cmd.exe	61
PID 2624 wrote to memory of 3016	2624	cmd.exe	61
PID 2624 wrote to memory of 3016	2624	cmd.exe	61
PID 3016 wrote to memory of 1312	3016	audiodg.exe	62
PID 3016 wrote to memory of 1312	3016	audiodg.exe	62
PID 3016 wrote to memory of 1312	3016	audiodg.exe	62
PID 1312 wrote to memory of 1336	1312	cmd.exe	64
PID 1312 wrote to memory of 1336	1312	cmd.exe	64
PID 1312 wrote to memory of 1336	1312	cmd.exe	64
PID 1312 wrote to memory of 732	1312	cmd.exe	65
PID 1312 wrote to memory of 732	1312	cmd.exe	65
PID 1312 wrote to memory of 732	1312	cmd.exe	65
PID 732 wrote to memory of 1648	732	audiodg.exe	66
PID 732 wrote to memory of 1648	732	audiodg.exe	66
PID 732 wrote to memory of 1648	732	audiodg.exe	66
PID 1648 wrote to memory of 2980	1648	cmd.exe	68
PID 1648 wrote to memory of 2980	1648	cmd.exe	68
PID 1648 wrote to memory of 2980	1648	cmd.exe	68
PID 1648 wrote to memory of 1892	1648	cmd.exe	69
PID 1648 wrote to memory of 1892	1648	cmd.exe	69
PID 1648 wrote to memory of 1892	1648	cmd.exe	69
PID 1892 wrote to memory of 1840	1892	audiodg.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8962101fb05264bcf8d7958316b55b2819071f8fd0a7d7f4ec7c30399f1cc8a5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1760
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2584
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1336
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2980
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        14⤵
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1752
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        16⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2156
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        18⤵
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1072
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        20⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:856
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
        22⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1896
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        24⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2252
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
        26⤵
        
        PID:600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f5a6b7b4757897e1a84e068bf1077d

SHA1
6945ed4c68dbff36c16d35a7ec4fd2358d45564e

SHA256
d2d3d7f24648e747d34e8b87892055e069dbd6c1a639e57f5657a2d4234dde47

SHA512
a8802eab74ba4dc496dbf0a8557ef80c8971af07bff542121c3112a65cd8cc041436591babac0e2527ff5a6f2f05a609c2b7a6d0eef85459dfe725ba9fd31f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc5089f03bce72ce4af196d85cb1d679

SHA1
8ab71b722dc34a386bc4839d83a6907196e14c0d

SHA256
a2de6d9885e5aa710706cea0c148b821ac45c09c6f8bbeee6ea873ecfdf27778

SHA512
688dcf8ef816a1c39023dc00c456638e4a00c01704f0f37d477a135a27f5f1740baebb3fd684a58f5f55a5fa6f1b1c2a34f5cfb0a7607d94465568011bb8a95d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c7960dbaff0396dc3a7505b22213202

SHA1
ce025d5f308e9e038c00c81b41acfc0e4fd85bc8

SHA256
feb1e52bce699f3556c83a9810448ec2fee1227cd4d36b263b28a6ad549818ee

SHA512
becd0740fa0136dfefbaf655a145bba5956ca9e88e78851d6b0b12916294d2d4de5407e7f46287124c9fe8a0efeaf85d7336bcc430e6b23b6266853cf29964e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
339a144c6f9472b3cfa449c135b0d8d3

SHA1
03e39b225a93e90a3750ee8fb3e9d816def3ef15

SHA256
28cad4f4af6add0e3d745db1fa740cfb5c96c4d53b5fd4cc8b822101ac3f4a99

SHA512
04f861b6fc0cf99a4d496141d2863ba81e1f7510ac4bd9e5a058bbcf308e31083f9302fa8cb5101601afdc53ad058997e415e413fc98e3ffa1a3acbdc8685a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb653092895c423016f7be4b89e52f3

SHA1
273b8a1212d994a0756d84f1b67c69b7d5e90a92

SHA256
9242687c05a3f1f6b9165688875109a5e611c2f914862b9a7b023c7bfb37d481

SHA512
0acde675b9d1012c0583a233318c1740db67a40e147b40c9bd4dda93d72d6d8c6d63c62dcfbe6bccbc96cfb57dafe111805bd0473cb0e64c3f0086033069ae6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ce83a60b912cb670f9aaea73c9f778e

SHA1
6bb2d8536e81c01ffdea59deb1799ad61434cbc8

SHA256
00ea51465d608a9ed45cbb7b37841470ae3aef6f37019389a277e7cf74e9cf7c

SHA512
615fcfff7e17adbf0607e8e11588f8aba26be0a948648d901844aa0931ea902eb80edbda543ab3edaacc7c1c61ff41f760ffc8f3a1fe81a58273c17dcaa6ecee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7ae775eee793b0df4fba334e1ef092c

SHA1
2ef79537df7457551eb805398384ee3c4319c823

SHA256
286b8f350e9a2a69ea2b0a3152360a5ccd1dbd6e441448fbce4aad2785a09e4f

SHA512
7cb3bfed945418d7ac408d90fad716b7b1486cf3a0af788a9d3468517c824e045aa194289712e70924b14a3567c0ea55e079bfa8ed8a8c487a133769f0fba00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a22158d076de688add463d4b85bb0ced

SHA1
207252320c5a1d7a7b6fa4c295979ff5ca12d096

SHA256
0bbde738c9ad380fbca987ee37df7593a0943176cbd898e6fc53c08a38086380

SHA512
295b3e6c891b6d659c7034473b007149bee1eb67c8e5d9c1a02fc70149dbc375db08094ecbe9f82f7ee310c2eb1ee5f8c19df5ea00b632fc0d4545efdaffe351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c46339feb0089705db8bd14fc4cfcb18

SHA1
8e02ed6511e77ab6d4f9fe08c44434207c814519

SHA256
848a912290689df4066a3f96ebf175ce4cbd5c4bc192711951e6738d1e52649c

SHA512
dc671120d14da197078d857cb263fd3beeb953cd709313b68120eed525651e0044a9f0e9703af209de091e62e7faf7e9d4d5eb79cebeab3a7ca9256213b20ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5bb75f2e7d5de34ee83c4cb76a26681

SHA1
51c6ee1665b2c0dd907d38c920e875fa9942ce8c

SHA256
b4b5da44f56d21c864d2f775e9a20695516b21dc2cc0693386b8debaf8347ec0

SHA512
df52f057270d1d549b2654325fb69028117e8d85b4f2ab84139fce2bdb65844f5ea5d21ce5f70314af6c167ccbc3c371aad343cd43dc55c9c8e26d503f1a9539

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
239B

MD5
30ebdc03fc1239f67a67ff0963bb2bed

SHA1
9cc4274cf24d6a2e6b9b9c0e15a456b3478f7a12

SHA256
727c0ec1f5ac0b1d55e48fc2b07e4b27399b3826281faa33deb0f99cd77912bd

SHA512
35e44a61628b86f5d7c1deffa29332c0b4568d0c47b326c7d16f54951bd8468e80e635112c39130444b42ad9a0cb6e19bae27de0b619bdc13c79a9e29510f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
239B

MD5
7a02aba010473c5450a5dd366497b936

SHA1
aa5a5fc37409e7d8ffd9ec10d34840bf6a3b766b

SHA256
fb3bc82048250dc14ecf4787382ceeee0ad4d2c76cc9431affda635ca28b31c9

SHA512
8292ecaf6ac0d4db66ed7993cd626377e441c624bac31ec0e697486d81ad01f707780425db248eac664e580fc33eb15fa3b5476fe073f1171eb9141cf3e9bcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

Filesize
239B

MD5
1449ba10239bf77d81e66aa2645378e2

SHA1
660657985bc494697111f8f15486f7b80902daf9

SHA256
a3949fb53f67c9af8a63874b1d5b0f26a703af44eadb5aed5d52b571a380a8db

SHA512
0754f9e04d2dc2d50fca89fb9ea4c753b5c961e821dbe95728b2ab4b0cce691550b37b6a9c5d95bb8b19fc22f43f9294e622c33f96e8ad07c13cf73d0a895434

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA759.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
239B

MD5
77fbb32f7cb146025132a3312eb59e9d

SHA1
80af53de2f15ecc9e40a15e435ed9efc09dcd878

SHA256
82b1ad3659f4c2893327e06113f1d7ad8cfa8f5b4050e0bf0b97c45a9866a830

SHA512
56121a89434ee5e8ac583ca5225483f89d17c3f6dbad760289eb8bb847aa5b801b5962d669196afdf715ca96481e396493b2afb9602d1fe57b9801b9288348dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
239B

MD5
1d52962a7ce31367cb4979aa5ac38e87

SHA1
849d9fb99bcbfd62a1c14b091c26cb20184c6598

SHA256
82f3b405219f7ac75340c0d94a67ee8dd2f522e95101b7915414fae35ec0c75c

SHA512
713bc86863d66e0cbefc058cf5c3aa5e16c8f3830ccf6b8129ad478021f47d8be7514b07369e56a1ec432e28966b616fa475dce6d053d8af399dd5231a76e395

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
239B

MD5
276896e081789fbcb0d8e0ee0b895bdf

SHA1
618298083971c3dc78d2d80deadb244d364a105f

SHA256
8567efd8cbe23e654fb0fbf2db28ef12aa412f266a10221f6877a9b46cdcb877

SHA512
95126b42e017d4ee3ffdc107e243d3af6508eac1f07508c2584e0b824e505cb22c9e93e3fe6d96b61acfaa8d3d77104bca9c2933b2ee3faf931c209a97f21e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA76B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
239B

MD5
24bb71cce19535e6612c8d026f5541a6

SHA1
e63b71053a58fe30ebb6c7cbd3059fe3906ce358

SHA256
c9d6e5115b051fc7a742eebd949b3bd0c90f061cda167727bc96a6a8fc899621

SHA512
159a1f2ce246c1b7370b76b3db2ee4f9ddfef46f23788a2028e94bbe715409d57155a8799134f7b6030e2432534ffe7ea3a6cc914125a83b1f61bf55481338b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat

Filesize
239B

MD5
b5ffd6f58d0630d7a85d7f2f9e0c6369

SHA1
3c6ffa025ecb560b12c02bad18fb8e4cff466b39

SHA256
d27b65e259af08c0e7f8e329c3350f8ffa115bce1d9b37516f3fa806395e7b1d

SHA512
d8b6393072245bdce2a379018859a89d7999514cb2722454c986c925fc5ecbbc1b6f6d79b38acd246b9edcabf6c391fdbe3c309e0f692bb3374cc1be8da3b09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
239B

MD5
c6fe213c12711d91a024443f7ef071a6

SHA1
4c3e83943cf9f74bc82dce79e46005e314d01209

SHA256
7c53d6806aba9b44ce2b09243c7406306c2ef90bdea20f2abaf8a82dabdddf05

SHA512
df1aca35fbc75a94e8d797e655437d60d8948518ea20f55f17495c471e0d60808dc5efb8b1c81bcaea78d017d542a678473be8bda24fe265226167137a99048e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
239B

MD5
a633c47ce1b9484c29b2b2507da83e90

SHA1
255f98d6895df1e04e3169d7e7202c5ad55766c0

SHA256
6862a73699a7be481faa89b1255312c64ced328a434480e503c28c21c56d6f22

SHA512
6fc5e5f4f99aa685c257815b702344a6d2e328753567a275646880f1305539951fcb888b2148b32bdf04db0ed222223d6411d6f6143bc4852945b9573e7611d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
239B

MD5
15dd89529db6cc899eca50f67ca14590

SHA1
5f794815803b846b31549aff429f0baa8ce77cf2

SHA256
7b91636b6ed83fae3e9d33da9cfcf6190394c9fafa68476df9bc1f5a3afc5ff1

SHA512
9f43bd2af050e712e89f0312cd1123ed997c70de8f668b203027ed1abf6f51c97918082da67873c46b81bb7ab0f06227c578db478eb9443a0958c68ce0c382f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
afb25371ac683213bd2f63d4c9ea91e5

SHA1
0637be581369c235075ab678749c66ad33d14992

SHA256
a899d504637c47ac9efd3b068309df474322ff82ac5d8d3d472e268e0faa55e9

SHA512
8be026cc830f73993904ef3327a3cb4bd1a35729ae5123dd3b616414c60fea799f88d7081828d50a1051ee5653cd5a2e1d344417c2b7fd50daae3edbd4eb3f7d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/732-230-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/792-51-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1784-648-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1892-290-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1892-291-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1908-50-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2412-529-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2428-110-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2680-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2680-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2680-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2680-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2680-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2784-351-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-170-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-30-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download