dcrat | 4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe
Size

1.3MB
MD5

787f897ace218fac0acb509e7c3dad7d
SHA1

9bd24a5dc54515a98c06a4d8ff954f1a7d0c113a
SHA256

4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716
SHA512

57a0017bbef0f94939c1481beb7088df08d07bc8f17e326ce45608165c7925e92460a57982a2e7bb43f05b24e2986c31e2d0d9a128604d8444bc3f25a5745966
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2740	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2740	schtasks.exe	32

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014b28-9.dat	dcrat
behavioral1/memory/2748-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2864-40-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1576-110-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2656-170-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1996-230-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/2992-290-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2836-409-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2140-469-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2928-529-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2704-589-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1488	powershell.exe
648	powershell.exe
1116	powershell.exe
280	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2748	DllCommonsvc.exe
2864	audiodg.exe
1576	audiodg.exe
2656	audiodg.exe
1996	audiodg.exe
2992	audiodg.exe
1240	audiodg.exe
2836	audiodg.exe
2140	audiodg.exe
2928	audiodg.exe
2704	audiodg.exe
1964	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
38	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\b75386f1303e64	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
604	schtasks.exe
828	schtasks.exe
1036	schtasks.exe
1824	schtasks.exe
2668	schtasks.exe
2520	schtasks.exe
1664	schtasks.exe
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
1488	powershell.exe
648	powershell.exe
280	powershell.exe
1116	powershell.exe
2864	audiodg.exe
1576	audiodg.exe
2656	audiodg.exe
1996	audiodg.exe
2992	audiodg.exe
1240	audiodg.exe
2836	audiodg.exe
2140	audiodg.exe
2928	audiodg.exe
2704	audiodg.exe
1964	audiodg.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2864	audiodg.exe
Token: SeDebugPrivilege	1576	audiodg.exe
Token: SeDebugPrivilege	2656	audiodg.exe
Token: SeDebugPrivilege	1996	audiodg.exe
Token: SeDebugPrivilege	2992	audiodg.exe
Token: SeDebugPrivilege	1240	audiodg.exe
Token: SeDebugPrivilege	2836	audiodg.exe
Token: SeDebugPrivilege	2140	audiodg.exe
Token: SeDebugPrivilege	2928	audiodg.exe
Token: SeDebugPrivilege	2704	audiodg.exe
Token: SeDebugPrivilege	1964	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2964	1860	JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe	28
PID 1860 wrote to memory of 2964	1860	JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe	28
PID 1860 wrote to memory of 2964	1860	JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe	28
PID 1860 wrote to memory of 2964	1860	JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe	28
PID 2964 wrote to memory of 2732	2964	WScript.exe	29
PID 2964 wrote to memory of 2732	2964	WScript.exe	29
PID 2964 wrote to memory of 2732	2964	WScript.exe	29
PID 2964 wrote to memory of 2732	2964	WScript.exe	29
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2748 wrote to memory of 1488	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 1488	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 1488	2748	DllCommonsvc.exe	42
PID 2748 wrote to memory of 648	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 648	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 648	2748	DllCommonsvc.exe	43
PID 2748 wrote to memory of 280	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 280	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 280	2748	DllCommonsvc.exe	44
PID 2748 wrote to memory of 1116	2748	DllCommonsvc.exe	45
PID 2748 wrote to memory of 1116	2748	DllCommonsvc.exe	45
PID 2748 wrote to memory of 1116	2748	DllCommonsvc.exe	45
PID 2748 wrote to memory of 2864	2748	DllCommonsvc.exe	50
PID 2748 wrote to memory of 2864	2748	DllCommonsvc.exe	50
PID 2748 wrote to memory of 2864	2748	DllCommonsvc.exe	50
PID 2864 wrote to memory of 2376	2864	audiodg.exe	51
PID 2864 wrote to memory of 2376	2864	audiodg.exe	51
PID 2864 wrote to memory of 2376	2864	audiodg.exe	51
PID 2376 wrote to memory of 1792	2376	cmd.exe	53
PID 2376 wrote to memory of 1792	2376	cmd.exe	53
PID 2376 wrote to memory of 1792	2376	cmd.exe	53
PID 2376 wrote to memory of 1576	2376	cmd.exe	54
PID 2376 wrote to memory of 1576	2376	cmd.exe	54
PID 2376 wrote to memory of 1576	2376	cmd.exe	54
PID 1576 wrote to memory of 1072	1576	audiodg.exe	55
PID 1576 wrote to memory of 1072	1576	audiodg.exe	55
PID 1576 wrote to memory of 1072	1576	audiodg.exe	55
PID 1072 wrote to memory of 2648	1072	cmd.exe	57
PID 1072 wrote to memory of 2648	1072	cmd.exe	57
PID 1072 wrote to memory of 2648	1072	cmd.exe	57
PID 1072 wrote to memory of 2656	1072	cmd.exe	58
PID 1072 wrote to memory of 2656	1072	cmd.exe	58
PID 1072 wrote to memory of 2656	1072	cmd.exe	58
PID 2656 wrote to memory of 1808	2656	audiodg.exe	61
PID 2656 wrote to memory of 1808	2656	audiodg.exe	61
PID 2656 wrote to memory of 1808	2656	audiodg.exe	61
PID 1808 wrote to memory of 1972	1808	cmd.exe	63
PID 1808 wrote to memory of 1972	1808	cmd.exe	63
PID 1808 wrote to memory of 1972	1808	cmd.exe	63
PID 1808 wrote to memory of 1996	1808	cmd.exe	64
PID 1808 wrote to memory of 1996	1808	cmd.exe	64
PID 1808 wrote to memory of 1996	1808	cmd.exe	64
PID 1996 wrote to memory of 2160	1996	audiodg.exe	65
PID 1996 wrote to memory of 2160	1996	audiodg.exe	65
PID 1996 wrote to memory of 2160	1996	audiodg.exe	65
PID 2160 wrote to memory of 1088	2160	cmd.exe	67
PID 2160 wrote to memory of 1088	2160	cmd.exe	67
PID 2160 wrote to memory of 1088	2160	cmd.exe	67
PID 2160 wrote to memory of 2992	2160	cmd.exe	68
PID 2160 wrote to memory of 2992	2160	cmd.exe	68
PID 2160 wrote to memory of 2992	2160	cmd.exe	68
PID 2992 wrote to memory of 2296	2992	audiodg.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4def7e84aa64a60490581f43216a63e439974443bf06f1cca30daa10f5a27716.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1792
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2648
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1972
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1088
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        14⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2592
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        16⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1680
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        18⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1640
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        20⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2420
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        22⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2616
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        24⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2784
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df0a346df01cbcdd85a962e5623eebcf

SHA1
623272f89a5faa4452e63127c3fb7dd0103142ed

SHA256
f03379049bfc4a6227113666a00ae10a4b2791d42f68f52b9886af1b69fd82ac

SHA512
40143854c68c8201b41470f8166ab971e03b1988e394264ec63ef40a672924e3a25e5c0e87d74ac40d101bd08530414cecae87aab80ed6904e3f45cad7f045d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6870889e99573a89e22a172afb2675b

SHA1
d3c982d918e5949181da47736e1acb8d6a8c4f7c

SHA256
39b00baf26cf644e4f637e93db5bfebd30eca2842335a7998e844fa1c1a2e3e8

SHA512
ce61a6ec5afdbf1c6b2ac82b99103f738f8c8838a5c50cb827f0903c6f13445459d93677fc3df21dda7e451a6a8b3c7ffd05148503ef8bd8e10abe0676ff1913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97658400e47cdf5b135f65e500869e61

SHA1
52124f21bde5ee0a9bcacd0ccc4af99fc642eaf6

SHA256
23b6b37a30d8a874d51abe0f6470b2f1219b7071350f8a2da7d645f52eab8c11

SHA512
c6159ec3f39172191b70d1721cdd39952389adc8760965ff78606188f5ed2dd778ac47f4d8388293697138aaf977b5f6548cf268c7636f694dd981e5da8d914e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b12c5f0f69231887e81349655fdc965a

SHA1
7f1dd7a3678affda53a1f9a8200752d5ca3b5a0b

SHA256
f7ea8f45beabeb048bfe3073b5fca416930c096a9d06cab0263030d1f0bc217b

SHA512
66a61dd303d384d73a3eabae50cc5f892d9e5fb6b37eab254a524ca4b86f268ed286a8530f6bfadd3070e3f6c971b05d23a3afa19ecb7727c0a6e925f607383f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a23c3a8f340300c90e0624e1d08a5b07

SHA1
66a9d279e77bad8b96bf24635fdebef5d3ededff

SHA256
defbdd532c05deb82ece7cbb5f6f29725ad36fa085e758fee065a94859ed6cbb

SHA512
a712968ff9b5fb02fa3ff113575491f0323eee00ee561a761f281e385bd181c7886dbce78f03e405bd0e5b920318543dda341f973e2d07a15194f2feffbe5b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
590984bba7e3722377f1e95d3cc2b972

SHA1
b762fe1239ba6841c7579438cf7c3d19687ca412

SHA256
1f3bd4c84dc974bd4dd5302bd8f85170877ceac7d8806e5c4acc91b128fcb83d

SHA512
705affa2b48b69c95fe9d454cf51d812f9bb48330b7fcad7ee8c39b06657082337500468fef2ce5e297058cb1e85dfaf27014f6d2b51ddc7a2907ee8a5c7b6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0efc5ddc1260088de963e840f12d0a86

SHA1
51fcdf18c20a265b1c84defce79662be9da33669

SHA256
d008e4dcda32622ffafb9077f116f207dd26930971e90d3fdb4795b07d2fd538

SHA512
04ee1d778800174d8a53ccb0c120c7a2bf227b95f26a9c7da2371f7e02ccbe55efa697813baa9503a9e69e7b64c452259e155d07613c46c2c58c4aa298d6a78a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e78cb5c246495d37fbaa0251069b60e8

SHA1
2c3e67b269f65a1a8812ef22b3a6af625f5a76e1

SHA256
f8459d3940192d85269b66f07d36372ee035792ca7d4adc8c317c74772fadafd

SHA512
535f0af8a5f3785b2ceea240e140bfd5eb813cde690e1b1ade1271cb1af5721996e6b4702cacc7dcdbf8bec4d210f519acd82cd28273bc7835b5034002b0ce36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f62019e67a7dc4ebd80101c4963af4f

SHA1
be2f4a04d8145ef05f1437ab1223dfe32f522656

SHA256
2de1ff51af5c5820358e94b3c62f8b61dd353562fdacbf0844d3cc7ea8ee229a

SHA512
21cde2285d8f9b938e08eeea19566a32f35413f3d9e5b355dbd1b49a31d1b4a866ac1d2cb1741e66257dcb5a1c957f4ac413d8675122f09d5255f958cf2c0201

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
225B

MD5
484fa5020a842f81f22ce3cef6e530c0

SHA1
d064c09d207e8428008b18c1898169bbd8cfd99f

SHA256
9c65d57925c2b8805fde841eb4016608c56ad81be32085dcdcedb742374d2a89

SHA512
38bff8719c33d268f9c80214ed34591d39bc1f1eecff35f1ce040e439352ebcb6168ca9a19b984f1dce40fcb8b9bf7726121828f4df5907cd0c747c3841fd7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab893E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
225B

MD5
fa5e6a18141b309c44800349194dcf0b

SHA1
30ba1469133c4e13e7f4e8a8894c045bf9b38e5c

SHA256
00470b3884ceaaeed630fb55f96c248d04111c5bb53ad997541c7932a43bb40a

SHA512
e3552d658d4492356f4ed5e53d40a469d180afc231d32a8eb590bee312bd03936a21a24b8c358cd6094375adaa49fe0e316cf2a52029f9b8ebe1fbe29dbff7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
225B

MD5
f7a56b4e7a0fcd3b91db0b8b6dca613c

SHA1
f203d578039d7bbda526896ec71fd165822d3b6b

SHA256
141e127e83d43392aee9cd12a3a2dcc8be488225f169e4a319bff77074cd77d6

SHA512
e534fd68a26ca1fbb874354e224d2fef8e48f07d37edf11b9c40d7cee8a7a28cbdf7a9aee8482ef74bce70163f6a2d4f45d96d769e69d149eada7035be1db151

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
225B

MD5
4c762444abf4c3359c8ea4a17ec9d53d

SHA1
23e96f84a1cdef833667af2f933301a7a5bbb985

SHA256
3690d71a6f41beed6eb2c99284a95c42a244acd6905efa6a35ce469dda63d7bf

SHA512
36c424eb34a07496f9b82e4f0954d5012649eb9362cc9eb463499fd4f5deddfcf750ab75aff19b14675aaffced50107058ab36e2c98ef66938fbafea1d8a2e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8951.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
225B

MD5
f76f6d489c1e7543d3578e7f8f334e06

SHA1
7cfacf1b3c46454e246f81bd99ad27e03eb134f6

SHA256
0d06067a1b9cf9f83d19533544e7ddcc2668d76665d7d1d5503eb7a2a6abc167

SHA512
1503f589eedbdf17e5c1cb3ccb9a9053654db26ae2158c3a8c29b704901f713c62a358314e16b35b61e1e1f6faa502fbd24e4dd76f3e12e23f1a450853968db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

Filesize
225B

MD5
49eedf7ae988ca3526918b5f98021234

SHA1
2ae6f81f88894df1cc9fb149aea17c23dd559028

SHA256
01bb1ffc1351035d2da7bcc65955af28805c4218cbd5c764ca8d89b1b3354aac

SHA512
8fb904ff47fdfdfb2650fe0f73b2239acf00e6fc6bb15527fc5ce2d5fd34d9c790bb14b972055064f5973519d79a93cc7ccc8bb61965e16832f4634718839ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
225B

MD5
5e0f95c7e2ec5afad8100845c16deecd

SHA1
e2b211d3188e65a2c7f556eac2f1895c089dd439

SHA256
a54b73b853bc8884beef426fd8d8caa70e054a5656a649bbcf31643defbcd63d

SHA512
08703ed850290e76cde2aec42cee82207ff3fb322a43ad5a461d164c2c69d1e44e15bb49a7c0ce5fb6d7e051c6c709df2e2744e8755282f4901327a5eb85ad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
225B

MD5
901644a13b454219b8b8e042b2ebfc9f

SHA1
5352844104dcdbdd5b7e2067294941fa48cae554

SHA256
ab6f5d1bfd91edd0eae358b11ad5975b084a45c0825e51d34be0e2a35c968e31

SHA512
612001f417e33d417ccb25f7e1a9958e574a2cdf3c69b218f8cd3c5bc8e3e38b2cc9ea4abf196046507b6980998de2c6afc20be2f2aecfa24a8322e4bb1f10e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
225B

MD5
430ad4061a63f3eaa915cf6882e00786

SHA1
8a4593976fbd6142bb4bb5b591216fd4c0ef53bb

SHA256
0ebab76ef066882f83f7c273ca678842cda80a6a087cbb6f81c48db450e54531

SHA512
33cdcb54f226983a5a2cce1e23266ec6eb0051e001025196213a3aba78e1f8937f33f80b5f47940660566fcf59eeb6cbce49680d8d882f2ee82538c22efbaf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
225B

MD5
e4f5af17eb0c91b5783fd3fa1c8cdb74

SHA1
c36b51ae48b7151e45fbfaa71bedd64ad48dc1c5

SHA256
11099b0a886536d029f1cf50869b015856cfc5a286395ad35af94125c1008138

SHA512
316f0ebc2e4afc03e0ebf882eee95522952772a14d6848c9a2319111e6b6665f16bdcbea2b054a67bb7a2cd1706bafc7906d3d18f6829c3afd55e87a0b7842a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23b9b9f68e46cae49eebec5e8e6b1ec4

SHA1
efbeaea4964eb6ae91e21f9894e45546c2050ef7

SHA256
69038f3860714d27ae15f9ad5386ae012794a6a4b24e1b6df423879ea477da08

SHA512
062a5f00c6a94c1d9acafb7ecb107c6f336f1a160930615a0f8823dd415ce603ce8a6cae8880b8165381e60ba2886ff86d31ca4869c437f2e87e6a043211ca65

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1488-46-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/1488-39-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1576-110-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1996-230-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2140-469-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2656-170-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2704-589-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2748-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2748-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2748-16-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2748-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2748-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-409-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2864-40-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2928-529-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2992-290-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download