dcrat | a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe
Size

1.3MB
MD5

1bc4c93e2a12f2683738b3e9bcdf5fe2
SHA1

ddb15eb9c653336f84b02be9eb5cca2fd91f5f1a
SHA256

a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04
SHA512

8f47529c7b3562379de692bf3de78ce53b21de8a1389e5979b58b4a81b6e6d5c686d07ac62b8b8c9d339901ccdebf7426f9d9ad89dc39cd3e1435def423673f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2316	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d31-9.dat	dcrat
behavioral1/memory/2624-13-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2920-45-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/636-104-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/1360-223-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/3040-283-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/1784-343-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/1576-403-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/532-463-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2372-643-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
1360	powershell.exe
2620	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2624	DllCommonsvc.exe
2920	wininit.exe
636	wininit.exe
2520	wininit.exe
1360	wininit.exe
3040	wininit.exe
1784	wininit.exe
1576	wininit.exe
532	wininit.exe
1524	wininit.exe
304	wininit.exe
2372	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	cmd.exe
2560	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1048	schtasks.exe
1772	schtasks.exe
2868	schtasks.exe
2612	schtasks.exe
2564	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2624	DllCommonsvc.exe
2620	powershell.exe
1360	powershell.exe
972	powershell.exe
2920	wininit.exe
636	wininit.exe
2520	wininit.exe
1360	wininit.exe
3040	wininit.exe
1784	wininit.exe
1576	wininit.exe
532	wininit.exe
1524	wininit.exe
304	wininit.exe
2372	wininit.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	DllCommonsvc.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2920	wininit.exe
Token: SeDebugPrivilege	636	wininit.exe
Token: SeDebugPrivilege	2520	wininit.exe
Token: SeDebugPrivilege	1360	wininit.exe
Token: SeDebugPrivilege	3040	wininit.exe
Token: SeDebugPrivilege	1784	wininit.exe
Token: SeDebugPrivilege	1576	wininit.exe
Token: SeDebugPrivilege	532	wininit.exe
Token: SeDebugPrivilege	1524	wininit.exe
Token: SeDebugPrivilege	304	wininit.exe
Token: SeDebugPrivilege	2372	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2628	2748	JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe	31
PID 2748 wrote to memory of 2628	2748	JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe	31
PID 2748 wrote to memory of 2628	2748	JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe	31
PID 2748 wrote to memory of 2628	2748	JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe	31
PID 2628 wrote to memory of 2560	2628	WScript.exe	32
PID 2628 wrote to memory of 2560	2628	WScript.exe	32
PID 2628 wrote to memory of 2560	2628	WScript.exe	32
PID 2628 wrote to memory of 2560	2628	WScript.exe	32
PID 2560 wrote to memory of 2624	2560	cmd.exe	34
PID 2560 wrote to memory of 2624	2560	cmd.exe	34
PID 2560 wrote to memory of 2624	2560	cmd.exe	34
PID 2560 wrote to memory of 2624	2560	cmd.exe	34
PID 2624 wrote to memory of 972	2624	DllCommonsvc.exe	42
PID 2624 wrote to memory of 972	2624	DllCommonsvc.exe	42
PID 2624 wrote to memory of 972	2624	DllCommonsvc.exe	42
PID 2624 wrote to memory of 1360	2624	DllCommonsvc.exe	43
PID 2624 wrote to memory of 1360	2624	DllCommonsvc.exe	43
PID 2624 wrote to memory of 1360	2624	DllCommonsvc.exe	43
PID 2624 wrote to memory of 2620	2624	DllCommonsvc.exe	44
PID 2624 wrote to memory of 2620	2624	DllCommonsvc.exe	44
PID 2624 wrote to memory of 2620	2624	DllCommonsvc.exe	44
PID 2624 wrote to memory of 2028	2624	DllCommonsvc.exe	48
PID 2624 wrote to memory of 2028	2624	DllCommonsvc.exe	48
PID 2624 wrote to memory of 2028	2624	DllCommonsvc.exe	48
PID 2028 wrote to memory of 1500	2028	cmd.exe	50
PID 2028 wrote to memory of 1500	2028	cmd.exe	50
PID 2028 wrote to memory of 1500	2028	cmd.exe	50
PID 2028 wrote to memory of 2920	2028	cmd.exe	51
PID 2028 wrote to memory of 2920	2028	cmd.exe	51
PID 2028 wrote to memory of 2920	2028	cmd.exe	51
PID 2920 wrote to memory of 1472	2920	wininit.exe	52
PID 2920 wrote to memory of 1472	2920	wininit.exe	52
PID 2920 wrote to memory of 1472	2920	wininit.exe	52
PID 1472 wrote to memory of 1648	1472	cmd.exe	54
PID 1472 wrote to memory of 1648	1472	cmd.exe	54
PID 1472 wrote to memory of 1648	1472	cmd.exe	54
PID 1472 wrote to memory of 636	1472	cmd.exe	55
PID 1472 wrote to memory of 636	1472	cmd.exe	55
PID 1472 wrote to memory of 636	1472	cmd.exe	55
PID 636 wrote to memory of 2832	636	wininit.exe	56
PID 636 wrote to memory of 2832	636	wininit.exe	56
PID 636 wrote to memory of 2832	636	wininit.exe	56
PID 2832 wrote to memory of 2900	2832	cmd.exe	58
PID 2832 wrote to memory of 2900	2832	cmd.exe	58
PID 2832 wrote to memory of 2900	2832	cmd.exe	58
PID 2832 wrote to memory of 2520	2832	cmd.exe	59
PID 2832 wrote to memory of 2520	2832	cmd.exe	59
PID 2832 wrote to memory of 2520	2832	cmd.exe	59
PID 2520 wrote to memory of 1984	2520	wininit.exe	60
PID 2520 wrote to memory of 1984	2520	wininit.exe	60
PID 2520 wrote to memory of 1984	2520	wininit.exe	60
PID 1984 wrote to memory of 264	1984	cmd.exe	62
PID 1984 wrote to memory of 264	1984	cmd.exe	62
PID 1984 wrote to memory of 264	1984	cmd.exe	62
PID 1984 wrote to memory of 1360	1984	cmd.exe	63
PID 1984 wrote to memory of 1360	1984	cmd.exe	63
PID 1984 wrote to memory of 1360	1984	cmd.exe	63
PID 1360 wrote to memory of 920	1360	wininit.exe	64
PID 1360 wrote to memory of 920	1360	wininit.exe	64
PID 1360 wrote to memory of 920	1360	wininit.exe	64
PID 920 wrote to memory of 1872	920	cmd.exe	66
PID 920 wrote to memory of 1872	920	cmd.exe	66
PID 920 wrote to memory of 1872	920	cmd.exe	66
PID 920 wrote to memory of 3040	920	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a60ef437746a972dbdcc597e68ff3fa885d8f790bffa865c77ab94e18f5e0c04.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1500
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1648
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:264
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1872
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        15⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1496
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        17⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:768
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        19⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1056
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        21⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2108
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        23⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2840
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        25⤵
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
040b44f0440f57afd1e600778ef72011

SHA1
ff39cda95e08f03792c03b33114b5160f64329fc

SHA256
066779fc7d44b08514b795a98e4d841726706ab23629f4d8f587697c6f5adc7b

SHA512
8edec227a89055e8826b9fdd602c78167af9091565fe6ef475c272c06d0eda295a06bc6ec6552c759efb290991658d519da2f2cff89512f10ad9c88dfd88f0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abef47517ad2075bfb0925c6f32de92c

SHA1
8c93bd451ad2b40fe53a725cae724c3db2b826eb

SHA256
e4a22f3bacd8bf3dd5e683b48f8020c317df7020f987d1536be0f6c614df6fb8

SHA512
3d2094e4beff3c7c28c9fb3eee4fd3d184e87d687d67e954b79fade26ddc281e19e362829e28336477b723b706e42c62732a93ba11a26ca7a3c38f8546ad2f6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82bade3e24077eebe35975abcff64c72

SHA1
8c8a4f8bed3d118633edea4a91bc510d77e1f537

SHA256
d30798b9c6152166dad370fc8818859ca7d93f3c1df1cc687151ce1885665744

SHA512
c9a3322cd626af610bff21acc9d8ea1de15ff7b0cd47a1964bd8768160c723d37e869ee3710a0281be99565e6084bc51ec64947b31dfac61af39a3f578487e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f3c9a5e0dd96f26a3cd6608f5527433

SHA1
6c7d74cb7f3728e29153e438ea08262e267a0a2e

SHA256
a073a224211afff8a0292be8ac4ab30719b7554589ded0a5f7d0ba5b692213a1

SHA512
6bb513ab0759874609e41e4537f90c9089b18f0053008e7c22013106ab3ab7e584fef591222514606eaf54fe99588a3ea1f87483b2298644f243ddf86408110a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72825f73b8c080e964e1103f9ea6eb9b

SHA1
79a175339f2a71784c197824abf8d73cda696082

SHA256
63b0511a354d689ab311470b78af10ca3c982f8e4f9547dec817272620e3c113

SHA512
49dd4e13e8a811d43786490655812d12a6a2468bd953e4f84d46435459e139c904f06abda82cf1d7a485974cc29f2049ae5ef040a2cb957adbe92a52018b7e62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
847891dca9cb165d88b705ef55da49c2

SHA1
b769c546eee81d09182cb3291f8af70807767b1c

SHA256
550241fffcd3f850e6528ea2791cfd30a9992e58997f5b626a5ba38c45d6b8e1

SHA512
2e6618813cb75487a796df9131b9c42dc11252cbb1bd284d8d7a733404e654b4b81f9c1d5ff5d1f98fc4c6a32f8cf3342a9cb793b82616bf291390098a3acac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9863b3e0f7b7e01ce9fa6c082e57800

SHA1
6a62fb6b75e50a75b9f845d80b02f50aedea0ccf

SHA256
a1adc5f8e3365d461938d0676b3ee7417399e23c6df30d9ca18364d9ce2d8dc0

SHA512
8f54fca78ef92a264827fe565ccf48354d3cefe5b518b1e086d8d8d9f9d4c289c33c3f9d6e4cb26125c87a359a7e6db114ba91803262b4cd111818b95776bf0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77def7eb0f19a4c763d73204d60792fd

SHA1
6c868078e9aee733d553878f4829561e7762c02d

SHA256
04a95ad1a345243294b10eb21b01e40ff8ea8a836fb69fa4e5ffa560ba75d531

SHA512
68b49871e07655058c25f6e9d3077f7434e7eafa496684f7dc6ab6db70b102f4a3af735b67a399a04a6078a9c4ab23bbeee488bd05a333c609179b127c50a21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1484aa45a813eef359e5a19eba37810e

SHA1
e386c31ebaa4a1b2bc71370ed331b84d62db3597

SHA256
36235cb52c2172e3d0c38edb25c7cbe9b27089434de96998db0ddf8b986265d6

SHA512
1c1de6a3660f96b94a9d835ef32da5ca78a6bb728d61d0d871848d4ff02d26f52f3ad14e79e3eb5e23ffe45807606448eedd42eb4963f6b24e441e815abf384d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat

Filesize
239B

MD5
0d391bb4b6e9b613b93e7740a8a899be

SHA1
30a90e0a462274a767fc5d2f9e3edeb719b7e3c7

SHA256
d22b4856afbe3e36c1560f156c1f874a456c0ab3c22c548b1b2565b142f32615

SHA512
65dcf4fc052e73204d418a8331cffab0c160eac54cac7da8d8c26a0dbb73dc1e03c3e880ef869c41b3e18394ed8e110fa75582f7798bd0f922794cf92ee9b3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
239B

MD5
e0baaf3d0378be2d93fa013a1b157ea3

SHA1
f09e822e732a8aff8d3615cc985050e6cc7c0db5

SHA256
2f58941d419664d4d9dd7b44b8f54906759fd283c71333edd930ec5022f39078

SHA512
da564f7d98109016e9a9eeaed484b2fd3428d254fb6f322b5bddd3fea243a8d85994af12d1f2e138090a65f008397f0a1c2c3f5cdc1fce77cc5d24ea07efa120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab45B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
239B

MD5
5f027cded8fda6df604c23597bfcc479

SHA1
1848011252d8c02181b83599a5a6d21fc446a59b

SHA256
3a4a527020ccf4f9ef9267490dbd48b3eeefa6470266384e439ca5f857935229

SHA512
e2127666e2e89ec960b78fed54f592ebdd6be9c3d895fc77603b01af7c451f80c610787e6350d029e7939e1cecc07c2c8cf30130a9a0a7aef430440ed9df7a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
239B

MD5
081fce5fcda7a1fafca60edfefe545fd

SHA1
451e3e5f106fa8e0a894f4f187941b3916fe1f06

SHA256
71ef6a041f1e3ba9c155068ddf42ecb5fcc6fc22b8efebb8d422763135abe832

SHA512
53390a65e0d82bb5cfef96d57bb337d9aa2fe5f05a39a2bbe9d560c9f28fab87e17020e324f9c85d17c73cd408de7dc2aeececfaca57499074837d9ecb61eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
239B

MD5
b7ca57007b1944e8e9cfc4057f2346ca

SHA1
2e172f1eb3e08359f6d01c505ee3979372a1c5e5

SHA256
d5ad2170f5b8f8846ccecb741dd4ed17fd400d9a39e4951d552ded5b5ac675b2

SHA512
4fa5d38c7dd67cd3ba2a3f130a305d800ea28b66e8bfbae8154a123e52d32ac00ecbcf392280518c4d1ed9bf854432f8327c85480dfc3d4828300110634772aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

Filesize
239B

MD5
684df12c9bdf735c71e873c5e0bbb2b0

SHA1
119342db8191e1a26b4769fb343aec75d1ba1bce

SHA256
5c6d7487f58bae4e92ead405b20308af65132f4adcc8e7f54f0085dc476b1da7

SHA512
878ade85cfded55b0d57f8f718dfeb129e15584547437cf5dbe78f0e4f2d29dcbbb672555485632f7ec22d47a3a866f1fc89fa9b905001e5aa886755162c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
239B

MD5
200912512b0b8c0f5578082c9437bd48

SHA1
e16209170d65883ed1211367f5dadff01e1a2dd2

SHA256
2f0a14f4fb40c71e7a464118d5088f75ab2484cb4136d25f64bc91096e5cba1b

SHA512
fe84866b9b861fc1a6da3b791d13f34da624f1184ca75afac7c8377b4b2d93a4557dfb4bee9b8e53aa6611cca40eea36c729a388502b1123576a2ab92122a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
239B

MD5
1654dafe45765ab63e4585150913f18d

SHA1
5ed30219597f459f50ed9f4c819f0a411b29de2b

SHA256
670857cae5f42b30445b5ca2274b2f709abbd634d53f6af0b5b15780643b4669

SHA512
28a22217576b15233c07fa36ad3a82700eaabd3282caf3c0badc167792be8a72e9b289be6fb943d1ad925341effdf92c67f69708a1afe7e526707e22fdc17a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
239B

MD5
44b1ecd0b6af98e309cd94e41ceda577

SHA1
5340e8063877b1c720297b953a5ad96c087ed38c

SHA256
f0ef5ab57275f9270ed22abfbec2655b7b9dd7fbd072cf7404710e7abfb09e78

SHA512
c31d4d115d2b61f0343ba5bf340b0d45461ca334e8ac269c172e5f277bb42a746c97adcbe92ba58401e687fdf9d703dac8634d6da80282eac6c762d5437d9320

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
239B

MD5
7d15a12e648f2ac419064084554acc9a

SHA1
a793054f9688695e9d93e68751e1dc14ed72ce71

SHA256
c252660f6166e9fb88f5f276be4a29f0edef8c86d9e5d69e46c4005f774b2ad9

SHA512
eda94e483806c77cd5c07e8075cfbf6f8a3e668058480919c8889b81a43a50bd1b8443fbd37b32dd7e2f74e75ce12fd8f9022bdef229a4d0a906de9a56100e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
239B

MD5
1166adc4d4848ab1c036efdedd2be2b0

SHA1
e9c4c27c4ab41653012172a5a3f311e7ece0de7f

SHA256
9ff7d20e0fc88feb0883a198441dbaf343d9474ff249ea1a40d9ae6138a50fc5

SHA512
3abd3fb7d56fede67954f4caa2b7c8e3ec070b035da8eba0048ac57dd11f3603f96a1243c4cda5c122c2505b043c9905bd0dd2ef058653bfa0916cb7a2e1138c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dac6637b47abd2e34ecd80b28be75d5f

SHA1
5ce5f0fd220bd504492e388b1a991d1a64b1e313

SHA256
b995ddf5d51d8b930fcc32822c663c6a88808e51159fa31932a211f807ae7f44

SHA512
70859b7f78a46a7d9f67c464a03c129a494cc685bd155599d6ee139951f6a3f52c666d5d27c35d1925e21df69e4b328173d9318c5ef287e7df5d7ec22593853f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/304-583-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/532-463-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/636-104-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/1360-223-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/1524-523-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1576-403-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/1784-343-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2372-643-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2620-40-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-41-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2624-17-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2624-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2624-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2624-14-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2624-13-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2920-45-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/3040-283-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download