dcrat | bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
Size

1.3MB
MD5

0c0e9d81c1fc8382f48c1c4144d2c16f
SHA1

8d2762a079d1c967b934dd3e523541f4272072d6
SHA256

bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7
SHA512

7000bb88fb5778d61f2e78649c5ccde76a968449466f77bac2d0c7a4bdc4d6569e2b7a17d4e41bd84bae66987ed6beafc5c91ae1add3d623db0b067dee0cec78
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2744	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2744	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2744	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2744	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2744	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2744	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016858-9.dat	dcrat
behavioral1/memory/2760-13-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/1612-45-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1516-105-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/1996-225-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/904-286-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2076-346-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/376-407-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
2120	powershell.exe
2292	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2760	DllCommonsvc.exe
1612	dwm.exe
1516	dwm.exe
2400	dwm.exe
1996	dwm.exe
904	dwm.exe
2076	dwm.exe
376	dwm.exe
872	dwm.exe
2532	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
1156	cmd.exe
1156	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe
2752	schtasks.exe
2728	schtasks.exe
2632	schtasks.exe
2668	schtasks.exe
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2760	DllCommonsvc.exe
2292	powershell.exe
1600	powershell.exe
2120	powershell.exe
1612	dwm.exe
1516	dwm.exe
2400	dwm.exe
1996	dwm.exe
904	dwm.exe
2076	dwm.exe
376	dwm.exe
872	dwm.exe
2532	dwm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1612	dwm.exe
Token: SeDebugPrivilege	1516	dwm.exe
Token: SeDebugPrivilege	2400	dwm.exe
Token: SeDebugPrivilege	1996	dwm.exe
Token: SeDebugPrivilege	904	dwm.exe
Token: SeDebugPrivilege	2076	dwm.exe
Token: SeDebugPrivilege	376	dwm.exe
Token: SeDebugPrivilege	872	dwm.exe
Token: SeDebugPrivilege	2532	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2076	2380	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2380 wrote to memory of 2076	2380	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2380 wrote to memory of 2076	2380	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2380 wrote to memory of 2076	2380	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2076 wrote to memory of 1156	2076	WScript.exe	32
PID 2076 wrote to memory of 1156	2076	WScript.exe	32
PID 2076 wrote to memory of 1156	2076	WScript.exe	32
PID 2076 wrote to memory of 1156	2076	WScript.exe	32
PID 1156 wrote to memory of 2760	1156	cmd.exe	34
PID 1156 wrote to memory of 2760	1156	cmd.exe	34
PID 1156 wrote to memory of 2760	1156	cmd.exe	34
PID 1156 wrote to memory of 2760	1156	cmd.exe	34
PID 2760 wrote to memory of 1600	2760	DllCommonsvc.exe	42
PID 2760 wrote to memory of 1600	2760	DllCommonsvc.exe	42
PID 2760 wrote to memory of 1600	2760	DllCommonsvc.exe	42
PID 2760 wrote to memory of 2120	2760	DllCommonsvc.exe	43
PID 2760 wrote to memory of 2120	2760	DllCommonsvc.exe	43
PID 2760 wrote to memory of 2120	2760	DllCommonsvc.exe	43
PID 2760 wrote to memory of 2292	2760	DllCommonsvc.exe	44
PID 2760 wrote to memory of 2292	2760	DllCommonsvc.exe	44
PID 2760 wrote to memory of 2292	2760	DllCommonsvc.exe	44
PID 2760 wrote to memory of 1484	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1484	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1484	2760	DllCommonsvc.exe	48
PID 1484 wrote to memory of 1444	1484	cmd.exe	50
PID 1484 wrote to memory of 1444	1484	cmd.exe	50
PID 1484 wrote to memory of 1444	1484	cmd.exe	50
PID 1484 wrote to memory of 1612	1484	cmd.exe	51
PID 1484 wrote to memory of 1612	1484	cmd.exe	51
PID 1484 wrote to memory of 1612	1484	cmd.exe	51
PID 1612 wrote to memory of 896	1612	dwm.exe	52
PID 1612 wrote to memory of 896	1612	dwm.exe	52
PID 1612 wrote to memory of 896	1612	dwm.exe	52
PID 896 wrote to memory of 1948	896	cmd.exe	54
PID 896 wrote to memory of 1948	896	cmd.exe	54
PID 896 wrote to memory of 1948	896	cmd.exe	54
PID 896 wrote to memory of 1516	896	cmd.exe	55
PID 896 wrote to memory of 1516	896	cmd.exe	55
PID 896 wrote to memory of 1516	896	cmd.exe	55
PID 1516 wrote to memory of 2468	1516	dwm.exe	56
PID 1516 wrote to memory of 2468	1516	dwm.exe	56
PID 1516 wrote to memory of 2468	1516	dwm.exe	56
PID 2468 wrote to memory of 1244	2468	cmd.exe	58
PID 2468 wrote to memory of 1244	2468	cmd.exe	58
PID 2468 wrote to memory of 1244	2468	cmd.exe	58
PID 2468 wrote to memory of 2400	2468	cmd.exe	59
PID 2468 wrote to memory of 2400	2468	cmd.exe	59
PID 2468 wrote to memory of 2400	2468	cmd.exe	59
PID 2400 wrote to memory of 1600	2400	dwm.exe	60
PID 2400 wrote to memory of 1600	2400	dwm.exe	60
PID 2400 wrote to memory of 1600	2400	dwm.exe	60
PID 1600 wrote to memory of 1696	1600	cmd.exe	62
PID 1600 wrote to memory of 1696	1600	cmd.exe	62
PID 1600 wrote to memory of 1696	1600	cmd.exe	62
PID 1600 wrote to memory of 1996	1600	cmd.exe	63
PID 1600 wrote to memory of 1996	1600	cmd.exe	63
PID 1600 wrote to memory of 1996	1600	cmd.exe	63
PID 1996 wrote to memory of 1360	1996	dwm.exe	64
PID 1996 wrote to memory of 1360	1996	dwm.exe	64
PID 1996 wrote to memory of 1360	1996	dwm.exe	64
PID 1360 wrote to memory of 604	1360	cmd.exe	66
PID 1360 wrote to memory of 604	1360	cmd.exe	66
PID 1360 wrote to memory of 604	1360	cmd.exe	66
PID 1360 wrote to memory of 904	1360	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1444
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1948
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1244
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1696
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:604
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        15⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2820
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        17⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2876
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        19⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:988
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        21⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2372
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2067d8074260a57f103ed179c658a817

SHA1
73b6939d5b89c6c30636f30f2e2ec4e991ce7e19

SHA256
61a13aea248afe9b8a7df9561b484a623929a2c415e0587a4484bb54b8adbc1d

SHA512
82cca9eb6ee780432c170da1f05a7f5ffeb3cf09afc1bf1aa9897b15ea0a9b686d9d227cc62ab7e557a93ff89e6c3f0ac28f2e7f574983d21cd1d9a56e2dd555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f748574079a10d7b5356cf616c91b2f

SHA1
3dc1dbc5924c7a00b6dfae431261b19158808a61

SHA256
5f4e43be72eb9aa3d42a1624ddc881f28fe62b96abd99476d9824448a0e2b76c

SHA512
4cb9a630299cd83e4bd5f1ae95dad2cd751528f052709d982736b60966532c95e545bf2bfa22594f6dba21dcfb9eae8c44bab5a07fde76b924edfd2ca69141df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee501add6a1b02022292ee44df19b38c

SHA1
be205c6cab52a246c4c24b1bd006ce838af006e5

SHA256
bc904fd6765de23a88b39672fa523662d2f00d2327cc3141ac67d03deae15279

SHA512
d566a59f1e637d2b826110d56c0227ea700f3549c3e1982bab33f2ba6ffe672eed5c5375d2e2799582439bd151de7e7a2f131b860d27294a00001604f1aa9dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efeac541fff5466aac53519f4882f1ac

SHA1
07a3a1a192302028cb06697c8f53d56f29ea9cdd

SHA256
8a3041d6227fbf4a48329af7187ae664420078566526830eecae0fc2a38de9a2

SHA512
66592444220cd58efe6ace93f0f4ecb2617b1ccb5ba68d930f90bd89fcee1b97958e36d2b79f7afb8e542132315d566c2309518cb8c17941bb03b65df8aab691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a200d169ace11e8b57f51d117c1eb3ee

SHA1
6c66a0b09a694497ec848be7f2d1eed19b462388

SHA256
1d594f5d38ee6aa0ba351df5de30a202f925857a1c589cc7fa1c2f03b5bc3c16

SHA512
a542ad118165e92d08a50db561a4fa51598fa8ac19ff5674b2ffd781f0df084dc1ad94b0a8f0f0587fed6cdb11bad07bfbe90bbbfb0b8b09a2c79e959a0c3392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57ee0eaa322fb4d9786ba1561693800d

SHA1
303e20cb979813295afc9386df4b252977de3a18

SHA256
89b3dd94e684c9f7988558fbb9b32769da8dd1ae8c0e0bc848876da40a90664d

SHA512
906ff34b6cc53e30dc2dbfe9e9960a29a4d61a323653609f09d39ca16e9e9be3dae99824d45d7c20c322b32fa7f66183a56dd7c2a590f78f041c57375db90d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db6d9cc26d5d7a60db5af162c8084c2a

SHA1
ef8a40df11b3dc7859fb0147945d3e0f0aa9abb6

SHA256
ab38c9487be7d678d6069e27d027413bda5661b7488bb0821a6117ffbb1dac4e

SHA512
4842116724d8d9e92ad2734236421b1f0a49b7d37125f358a5ef2ac80a82787ac15277ebfdf9ff4b2daf1011314b78f0f87f7ab54a8d1e646e60f6db4148ac5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d92d2d5580218a6377b48bb6650a5ad

SHA1
093f55af5f8d551c65ad7af0350abdf4aefa99c2

SHA256
a59b72e200e6a2e7338f305dde39b7182ba1e7ceee1f14a4154f2f094e16cd6d

SHA512
b231c312e15a881cc8166cede97503c60e0e1cf1317e087d67052c99c3d89cdf9bcd0de03ee58cd6cf5a2df3b1a4d6d34892170cb101a71343d6ceb1174c2c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
235B

MD5
407b6d0751a90dbf5f9603a837124d8a

SHA1
546c887044a2cabee656c0ef320fac5b35a36dbf

SHA256
c38392b032afd931542ac9cbdb2888d40584139268fef4affa0fb92c730ca07a

SHA512
b93a192daa9ec8d9373a043c6574c1d5a6bd4a3cecc11a7d07b6d077446d3158df9c07b715fcc1397cee3d329233cbd9c618e569859e91b20ef9d6e4d75b687b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
235B

MD5
87dad74e524846deeb9449089c945851

SHA1
583c1697930e460f3a5bf2c7b967cbf45edc98a5

SHA256
d2146c5eb8f579e334ee208b291a36b1920a9014cd69f6196d78687860ca2bcd

SHA512
bfacd8ad7cc2398f5c618633a0e6b7738cef66a363c4b91c9509396f5be974a24437a1eaf140d105ab9cf6c88ef2b7451e5a390015c17344ff6a071bbcdc475e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
235B

MD5
d142193627828d4481c1b629b89348d0

SHA1
dac9d1616c66b6e6bab954b2d5ef5f4adef697b9

SHA256
ea6f948592db863f84174991991f56547c08febe45248562f4548474aa70e897

SHA512
524b6d111ae6998babdcc334ff4283a2bd292d569d6b9fa33aef8ba617126f18a2170162d71c1bd08b154ca53c2215d5a636274986e9d484c287aa857c629fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
235B

MD5
1ad33611ddd2c9052115f2017f6cc619

SHA1
9f42ecca93b67e0eb4fafe0b728d0654f926ef8a

SHA256
fbd36a9c2e57e2272779370e497178c81a859b1ebc17e437273146955a3d7d54

SHA512
47e042221d44ea9a451bea929fce21dc72aaf9ce9203a4934cf9d924d6134a42a0dfdf09c93e4ad9ab90ca4bf232d2e5ec60e75631a92c0791ba991b419310ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1834.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1847.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
235B

MD5
0b08d7c7894bb2ec5394daa7da1c25ff

SHA1
ad595115ea75fff03979aa57e9d6782e85632e18

SHA256
4d38ab0ddfd0d8f9c7de70c3d173bcadd0df1e82e703928cec1b39ed7817abdd

SHA512
c3804ee77855ec13701b06b09dc86990e4b22d07b5b90dc55b8b66110bd3e74e92f0c687d6e30bb0e20dd1e9c0d1f00ea3ca69529d471992827110666fe8a4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat

Filesize
235B

MD5
1764e9a00b7728bfbef4501e4de6fae6

SHA1
214b73bb97978617e552088e62f0c31c3eae1326

SHA256
0739d84a13f2183aa0fffb61307b007602263916f9cf6bd7db62ac2209ab8d0c

SHA512
f60dbd1d91c59f5b4997aab89158cb893a3e78a7d4d90bfa7090506363018421a23fc09de2f974a711d19ee134282014985536591f6087dea42599e6a155c148

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
235B

MD5
4c29d213cd9148ce4df893ad51b297ba

SHA1
c76049687090051b9c6e20d011a34a9e2d8c245d

SHA256
6749eb06e8f093b08cf77c99b0bce3268fa286254a8ca7f3487f40a371fe58f9

SHA512
0315a89d583d67baa4d88bcf35a1df57a0e8c0a9cd75954a19cf6c01e13c37a15417dafc363234fcf1233702452083c58d3071192d99c4ff17d7b220cdfd3929

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
235B

MD5
42131885d4ed99fd558c70746a64e6cb

SHA1
8dfdeaf4412c38e825c70cae562976dd81195c07

SHA256
bb889e14b7645c8797e14bbed3b4b0bbdf786b3ee40e10350644e364704da8a8

SHA512
6e7afa507b59f02a54fc6871379574b14be6c56e1d727db01f39bb9fd2609fdb1c0c8849f62fc63389d40a184097fa23e4b47df54bc59fbe5ee01eaca48c7994

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
235B

MD5
ed6ef23b474f51397ce43c5a346e38b8

SHA1
f99f66623e7ab19f217204c5c6f63b3272633bbb

SHA256
458844b51155e3754bfa3f678c402733647e1aa7925b029c04230850ecb494f9

SHA512
bd3b13c07b6db4228f24194ac53e53309bdeebc49df876d7b77f00a9fe2148817a7aa978bb88dafc458be1db79b9afb5d62700a3dae9fe1d85d532727da04d33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58f655ffc1873cd03ca20670548e396f

SHA1
49db429a72ce257950a963a89c06a1ccde84ba52

SHA256
f105f432c10c6042d1c885f0f21c824a27c86f2836dab45450f0fdbab8f3030b

SHA512
f6eb6991ff3a00dc7f3766f4333dc3888ba811b5c51bdc19324aff0cef244c990589ff3e9a939a9699d2191a332e1a535947fff6f476ab672e52de979fa903ca

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/376-408-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/376-407-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/904-286-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1516-105-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/1516-106-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/1612-45-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1612-46-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1996-226-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1996-225-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2076-346-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2076-347-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2292-32-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2292-37-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2760-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2760-15-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2760-13-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download