dcrat | 8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
Size

1.3MB
MD5

5c894a9f9ca533a57b7156f6eaa5828f
SHA1

c9ce6ea6ff8a9ce662619369da68ff9c824afbb2
SHA256

8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85
SHA512

c0c39a8d5872528129e687f22f113770f46c986ab058340fc8b926627c237c31abea6e75939d6ecffa57c156757bb5ab4f4eb40f9adb7e361b2930a8cf814f59
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2404	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2404	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015f96-11.dat	dcrat
behavioral1/memory/2760-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2128-52-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/1212-289-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
2944	powershell.exe
2912	powershell.exe
588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	DllCommonsvc.exe
2128	taskhost.exe
1288	taskhost.exe
3012	taskhost.exe
2140	taskhost.exe
1212	taskhost.exe
2556	taskhost.exe
2444	taskhost.exe
2812	taskhost.exe
2616	taskhost.exe
2916	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe
3008	schtasks.exe
2044	schtasks.exe
2640	schtasks.exe
2896	schtasks.exe
2100	schtasks.exe
2260	schtasks.exe
2412	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2892	powershell.exe
2944	powershell.exe
2912	powershell.exe
588	powershell.exe
2128	taskhost.exe
1288	taskhost.exe
3012	taskhost.exe
2140	taskhost.exe
1212	taskhost.exe
2556	taskhost.exe
2444	taskhost.exe
2812	taskhost.exe
2616	taskhost.exe
2916	taskhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2128	taskhost.exe
Token: SeDebugPrivilege	1288	taskhost.exe
Token: SeDebugPrivilege	3012	taskhost.exe
Token: SeDebugPrivilege	2140	taskhost.exe
Token: SeDebugPrivilege	1212	taskhost.exe
Token: SeDebugPrivilege	2556	taskhost.exe
Token: SeDebugPrivilege	2444	taskhost.exe
Token: SeDebugPrivilege	2812	taskhost.exe
Token: SeDebugPrivilege	2616	taskhost.exe
Token: SeDebugPrivilege	2916	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2316	2796	JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe	31
PID 2796 wrote to memory of 2316	2796	JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe	31
PID 2796 wrote to memory of 2316	2796	JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe	31
PID 2796 wrote to memory of 2316	2796	JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe	31
PID 2316 wrote to memory of 2820	2316	WScript.exe	32
PID 2316 wrote to memory of 2820	2316	WScript.exe	32
PID 2316 wrote to memory of 2820	2316	WScript.exe	32
PID 2316 wrote to memory of 2820	2316	WScript.exe	32
PID 2820 wrote to memory of 2760	2820	cmd.exe	34
PID 2820 wrote to memory of 2760	2820	cmd.exe	34
PID 2820 wrote to memory of 2760	2820	cmd.exe	34
PID 2820 wrote to memory of 2760	2820	cmd.exe	34
PID 2760 wrote to memory of 2892	2760	DllCommonsvc.exe	45
PID 2760 wrote to memory of 2892	2760	DllCommonsvc.exe	45
PID 2760 wrote to memory of 2892	2760	DllCommonsvc.exe	45
PID 2760 wrote to memory of 2944	2760	DllCommonsvc.exe	46
PID 2760 wrote to memory of 2944	2760	DllCommonsvc.exe	46
PID 2760 wrote to memory of 2944	2760	DllCommonsvc.exe	46
PID 2760 wrote to memory of 2912	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 2912	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 2912	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 588	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 588	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 588	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 2984	2760	DllCommonsvc.exe	53
PID 2760 wrote to memory of 2984	2760	DllCommonsvc.exe	53
PID 2760 wrote to memory of 2984	2760	DllCommonsvc.exe	53
PID 2984 wrote to memory of 2204	2984	cmd.exe	55
PID 2984 wrote to memory of 2204	2984	cmd.exe	55
PID 2984 wrote to memory of 2204	2984	cmd.exe	55
PID 2984 wrote to memory of 2128	2984	cmd.exe	56
PID 2984 wrote to memory of 2128	2984	cmd.exe	56
PID 2984 wrote to memory of 2128	2984	cmd.exe	56
PID 2128 wrote to memory of 2092	2128	taskhost.exe	57
PID 2128 wrote to memory of 2092	2128	taskhost.exe	57
PID 2128 wrote to memory of 2092	2128	taskhost.exe	57
PID 2092 wrote to memory of 2180	2092	cmd.exe	59
PID 2092 wrote to memory of 2180	2092	cmd.exe	59
PID 2092 wrote to memory of 2180	2092	cmd.exe	59
PID 2092 wrote to memory of 1288	2092	cmd.exe	60
PID 2092 wrote to memory of 1288	2092	cmd.exe	60
PID 2092 wrote to memory of 1288	2092	cmd.exe	60
PID 1288 wrote to memory of 1004	1288	taskhost.exe	61
PID 1288 wrote to memory of 1004	1288	taskhost.exe	61
PID 1288 wrote to memory of 1004	1288	taskhost.exe	61
PID 1004 wrote to memory of 2556	1004	cmd.exe	63
PID 1004 wrote to memory of 2556	1004	cmd.exe	63
PID 1004 wrote to memory of 2556	1004	cmd.exe	63
PID 1004 wrote to memory of 3012	1004	cmd.exe	64
PID 1004 wrote to memory of 3012	1004	cmd.exe	64
PID 1004 wrote to memory of 3012	1004	cmd.exe	64
PID 3012 wrote to memory of 2900	3012	taskhost.exe	65
PID 3012 wrote to memory of 2900	3012	taskhost.exe	65
PID 3012 wrote to memory of 2900	3012	taskhost.exe	65
PID 2900 wrote to memory of 1804	2900	cmd.exe	67
PID 2900 wrote to memory of 1804	2900	cmd.exe	67
PID 2900 wrote to memory of 1804	2900	cmd.exe	67
PID 2900 wrote to memory of 2140	2900	cmd.exe	68
PID 2900 wrote to memory of 2140	2900	cmd.exe	68
PID 2900 wrote to memory of 2140	2900	cmd.exe	68
PID 2140 wrote to memory of 712	2140	taskhost.exe	69
PID 2140 wrote to memory of 712	2140	taskhost.exe	69
PID 2140 wrote to memory of 712	2140	taskhost.exe	69
PID 712 wrote to memory of 2056	712	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hV3istLvrT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2204
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2180
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2556
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1804
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2056
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        15⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2124
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        17⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1036
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        19⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2892
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
        21⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2856
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        23⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2380
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f43dfa7a4b41d5ba3ece19cd72527d

SHA1
c63e862be967349c39ab96561223d604ce5c184b

SHA256
da73638453db96c4c620c775a7bddab3446d6d0661ac71c73671205cc3791674

SHA512
bcbadda167c0b9c2c5e2281fdf6673c851492647c0ffb3fe10025a35a48c204c7852d1cfc6fe68c0deb57b7cb7738ab3df75e0e771661b7bd1e362bc6265eccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4339ad1ae1221ffcd347ddec48e9974e

SHA1
29d2fec5c2985ed4c3b4fe4705842dfe3bd08218

SHA256
9307ef1860eca77a5c257fab01f8c92f92a5ee7827c95cbc2fbde6a654c52e26

SHA512
acb09ec69d5c758ab4118658258f426d4f310c1e4d2a1e1a0ad6796201b4fe3dba943d705aa1f72e6c5f557c3df145f049c8462f0275cb48037a53fd77a32f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
623a26fb7eb538cfe6beab53b9d4a5e8

SHA1
28d4545eded51685a517e4cca4b7201b27007e76

SHA256
1bb75d1dbbaf60bde8ca7fc11086e15de3fea19c586c15f5585c649d6a0a5362

SHA512
953d0624b037fae42a9c4885bfc34d0d4e75f74619c5cfd284e7814f46ac2d2afaf1baad3cf7c675e8b329e9a9e56df2045c82ded4ed926e6df95ff86513d5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
078b1e79afe583b001b508ccbe059882

SHA1
be572705d1e9ad2937ebe0600e761b34b444cb63

SHA256
e35eb6f66db5b0e002c06fd206626e325067d571c2e9b2ffe8511af9f461a953

SHA512
ddbb05a92a88827184b41365a37a8c998776f267c03b3d41dec8cd05567d86a444a513cb49bbe42ea6682da7f7ad634bb0883fa3436475a64609aa8210bd7af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c36ab88c4725dda419d4029cee62c6e

SHA1
21fc019f494b837f51803d46fd0fb34e7ae1d73b

SHA256
f9a94e304009d69201bc6b9c88ff7aef27d5098e1ef4324e1224d94d09ef7b07

SHA512
8efb38c0ec510900cf6a491aa6b1fea216297f7d481095db4a058054e699b19438f6bef27887108510c8f25b9bf6c5614144d53ab67b9cecc9643e662b4340c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58735c508c9dd717afec138a9269b184

SHA1
e9a0f5db15abd793ddc0af9f604a9d42eb70042f

SHA256
9a70cc25f00db0348e6242b2947336f40e266140bf0c65d5ca9eaf5bb88865aa

SHA512
c191ba2ae3a8f3dc11d68d71d55bca556118af9acb3685988488c0d89385e6ed451a45821745270ee284e999cad6a38b28183e5173f74e5caa3ae8bc434a5818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e552f17ccfdf0bc9444002a2087e5533

SHA1
6b01407cab86f340171c767fca2d06ac4bc7cfb0

SHA256
88a0c10ba8184498016a91d642b6e4fadfabb0799b10eccf7ed95430e15c299f

SHA512
a66aadbc7b3ee744d5cb327646222de5682d9fa74aa1e2821ea7cedc619218c5522405e0dd804e6761a4079f25796822218114135903987504f5d0d5395be084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff035b7cf2d7b473c1c2d294e42edd8b

SHA1
b2b412b3f12e133491382bcb5cd7d15308089254

SHA256
d8abe84bcba03a8f8115f9e930c4b54bfd6d60a7cdca5254b26d97ef6d294e04

SHA512
560c45d6faeb519fd757915b498a0ad388cb127d7d18206058d57efeb7d3fbccec0e0e2cee35e5e00ded0a0f2e149fa3eacda985b58d7df97778e30a4f8345f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
245B

MD5
c66f695b21c5430772233ebaef2d3756

SHA1
ff8010183f4f1872f356904a197d911ac0c7dc0f

SHA256
5c0006639bb0666b78d00218b3e435989cb43679b892bb5e9140b94450466b0e

SHA512
c660f331c005e21b53911d94715e09f6a450f59fe0041c908023b6ca9c316e3f348f14d954280589b2e4e788d89207bfefe2ea2dfeb5a1fa4d889c790bfb3451

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
245B

MD5
2732a5c650f03f6f25c2fb51f43fb72a

SHA1
1010fc9b277c5c26a0764db7b4e930ecee9b2b29

SHA256
6a9eef51a7fa109aa62b4ee676745c0c26cd42a6f2e1e1934cac1c4d446cf542

SHA512
87da56af40d72523d226eedc8171d3901088dc754cf4054a598b3f92458627cde796400d423cf00ae0e07babd6b40b64966ffbaf8f0dc6c9e8bba0650135799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
245B

MD5
8b3f3c5130165ebedb636e8b9e30ff6c

SHA1
530d54da877c7d980e02e966c4d09312aa5d970b

SHA256
743f4f42e8b234616abca0541ab5e75bf6ff2f9c5b6b11ed9b1b19f02d942f3d

SHA512
41131b71d2f5b16c41677660fac9ad5581a144d09fde46c652df7c5e12771dcdf75375eae6fefc382fab7fe0e7669be3706bc0ec1871ac60433e4510ff91b7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
245B

MD5
e2fd2273db7c5cc44c1e2aed536984a3

SHA1
3549900e50d8539b7e20828657d54f5b88fdae01

SHA256
e1b62c77d4623a22c757bc24941bffaff640639ff07ab5051f20fe404738c0ff

SHA512
1322277314fd5fff829fa3d3447d15017f4d9e0cff7f8ed3994b5bc631480eaca85717ff0d33a64221731011553a7a254c01cce8fe034611a36369c37556394b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
245B

MD5
6774732a9850ada1d6a506d37ea9debc

SHA1
2867af48f03c795dd0325f337847c84029f968e3

SHA256
34650f3244934f2ae9826b6e167f6b3bf11c209fa21469c6770827e812ad2524

SHA512
6bb88a0d98fbb4d2bbd4d55776d191975fda039b65dac00387458ac90ab3b1c814a81c65ab4c2c49ff421e1bdab3f078cc685b5520b02de05d308df8d81e5797

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
245B

MD5
db06b3847b3c13d81797a8413da86f73

SHA1
d34f807ad95c3a29700e03b7574f26ef4868f472

SHA256
de7d643854e1603f1982451f8e0859dbe2721db0fa6d8857586773aa257291a9

SHA512
9eab70b0585daa8b6f650793dd6865c43bfc0702d7f3e90a96bff60ea3f9ad1542351d47d087a748298883d61ca12e401c27eeeb60bd87b6a17681adbe326a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FAB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

Filesize
245B

MD5
ae86185f735639bbe551de96e2741b0b

SHA1
74c6895a4d0591f956a96d8b409e950793d37842

SHA256
5834e41e473ec118f1d6c244ff463da80871a349d32452084b4b76886ded3a81

SHA512
ad9cc4957374a8e7977bd43c6e7e236364cb4c26b6fe7684393681a1d504113a447e06e55ed0b41603bc3de60445bb6eac2151b7fc8f143f12a56119beb9efb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
245B

MD5
bafeee015e95e7c94d3784b506735b4f

SHA1
00c5513f87e11a67f7f44a9f22e0f189b5bd83df

SHA256
d6c9c37dc51a76086ea98d9d2396e2d943034948245ef5d8f7171af216d425f8

SHA512
20059295e40f0009fec66643a2bedc8824fae026ae90ca464b95277ce92a47ffe0c5c8981094f784ac43fad37f9290763860b35862d056261e6e7f17d1f6dca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hV3istLvrT.bat

Filesize
245B

MD5
fa808d1e4feb868df40cd3995f520c88

SHA1
41e435d625f3656b3003fbbb78b96793035a58d2

SHA256
dbdf535fde3826f06965d0c0f4ea95c3acc11ce44675ccda5f6b6300175ca8e7

SHA512
280f36ba7ab7714e08f945b2236e1300755a2df453928df44a20780426c112f1521f608ce6164bca907744270f27cac76d6347e4584cd5b608357e9732854a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
245B

MD5
dd1498d5387e640a6d7679b3f2c10a79

SHA1
51ef34bd57194767212a87160517cd6d60fb13df

SHA256
faaf718dfb890dd06b5c783c127967bd63939b15ca62948ed40d2341f92353be

SHA512
554d38043467924ca642a80c5163edbbd0612ba554664090ecd1c7b1f1724119b7a4792be14e8715220cd0c5100805b51459b0d92eeffbba2b478b0e0ded710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ff118f8ba7d85116efd5b8fa2114ab4

SHA1
b5c4fc81cb571fe4c3964b09873a41697d8ecac2

SHA256
d21eed676761d88672d8b7cc88dd02c645281da9894908d3f09c238598a905dd

SHA512
38dac533e21e65e83071b3c5f10499daaf41eca6ab4855a47887a74605e39b35e849ba98a0960fe568168e1af9b9f0198537abcb7580c78a33da6b8ba802d293

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1212-289-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2128-52-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-408-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2616-527-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2760-17-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2760-15-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2760-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2892-49-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2916-587-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2944-48-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/3012-170-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download