dcrat | 1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe
Size

1.3MB
MD5

d9327f8645d2bcef36bb8f7e95d3255b
SHA1

662383ed12ae5f4be818c9766f2027ee795e9b6c
SHA256

1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71
SHA512

24793190f97828e84e2730e70b966c5123c33630127d234f13b2cc11ecb40c4a542b066c071494650c74cf5dff5d259f3b4ba6dcd89a706fda34128481d93872
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCZ:UbA30GnzV/q+DnsXgP

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2724	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d2c-12.dat	dcrat
behavioral1/memory/2736-13-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2328-46-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/2452-129-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2720-189-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/1336-250-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2096-370-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/548-430-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
3020	powershell.exe
2120	powershell.exe
1756	powershell.exe
2428	powershell.exe
2424	powershell.exe
3012	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2736	DllCommonsvc.exe
2328	spoolsv.exe
2452	spoolsv.exe
2720	spoolsv.exe
1336	spoolsv.exe
824	spoolsv.exe
2096	spoolsv.exe
548	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	cmd.exe
2828	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\ja-JP\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\ja-JP\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1652	schtasks.exe
3068	schtasks.exe
1648	schtasks.exe
2080	schtasks.exe
1564	schtasks.exe
1428	schtasks.exe
692	schtasks.exe
2632	schtasks.exe
2688	schtasks.exe
2000	schtasks.exe
568	schtasks.exe
2936	schtasks.exe
2672	schtasks.exe
1116	schtasks.exe
1268	schtasks.exe
1480	schtasks.exe
2928	schtasks.exe
388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2736	DllCommonsvc.exe
2424	powershell.exe
2224	powershell.exe
2120	powershell.exe
3012	powershell.exe
2428	powershell.exe
1756	powershell.exe
3020	powershell.exe
2328	spoolsv.exe
2452	spoolsv.exe
2720	spoolsv.exe
1336	spoolsv.exe
824	spoolsv.exe
2096	spoolsv.exe
548	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2328	spoolsv.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2452	spoolsv.exe
Token: SeDebugPrivilege	2720	spoolsv.exe
Token: SeDebugPrivilege	1336	spoolsv.exe
Token: SeDebugPrivilege	824	spoolsv.exe
Token: SeDebugPrivilege	2096	spoolsv.exe
Token: SeDebugPrivilege	548	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2016	1660	1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe	30
PID 1660 wrote to memory of 2016	1660	1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe	30
PID 1660 wrote to memory of 2016	1660	1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe	30
PID 1660 wrote to memory of 2016	1660	1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe	30
PID 2016 wrote to memory of 2828	2016	WScript.exe	31
PID 2016 wrote to memory of 2828	2016	WScript.exe	31
PID 2016 wrote to memory of 2828	2016	WScript.exe	31
PID 2016 wrote to memory of 2828	2016	WScript.exe	31
PID 2828 wrote to memory of 2736	2828	cmd.exe	33
PID 2828 wrote to memory of 2736	2828	cmd.exe	33
PID 2828 wrote to memory of 2736	2828	cmd.exe	33
PID 2828 wrote to memory of 2736	2828	cmd.exe	33
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 2428	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 2428	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 2428	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 2424	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 2424	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 2424	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 3012	2736	DllCommonsvc.exe	56
PID 2736 wrote to memory of 3012	2736	DllCommonsvc.exe	56
PID 2736 wrote to memory of 3012	2736	DllCommonsvc.exe	56
PID 2736 wrote to memory of 3020	2736	DllCommonsvc.exe	59
PID 2736 wrote to memory of 3020	2736	DllCommonsvc.exe	59
PID 2736 wrote to memory of 3020	2736	DllCommonsvc.exe	59
PID 2736 wrote to memory of 2224	2736	DllCommonsvc.exe	60
PID 2736 wrote to memory of 2224	2736	DllCommonsvc.exe	60
PID 2736 wrote to memory of 2224	2736	DllCommonsvc.exe	60
PID 2736 wrote to memory of 2120	2736	DllCommonsvc.exe	62
PID 2736 wrote to memory of 2120	2736	DllCommonsvc.exe	62
PID 2736 wrote to memory of 2120	2736	DllCommonsvc.exe	62
PID 2736 wrote to memory of 2328	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 2328	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 2328	2736	DllCommonsvc.exe	67
PID 2328 wrote to memory of 1704	2328	spoolsv.exe	68
PID 2328 wrote to memory of 1704	2328	spoolsv.exe	68
PID 2328 wrote to memory of 1704	2328	spoolsv.exe	68
PID 1704 wrote to memory of 2644	1704	cmd.exe	70
PID 1704 wrote to memory of 2644	1704	cmd.exe	70
PID 1704 wrote to memory of 2644	1704	cmd.exe	70
PID 1704 wrote to memory of 2452	1704	cmd.exe	71
PID 1704 wrote to memory of 2452	1704	cmd.exe	71
PID 1704 wrote to memory of 2452	1704	cmd.exe	71
PID 2452 wrote to memory of 3060	2452	spoolsv.exe	72
PID 2452 wrote to memory of 3060	2452	spoolsv.exe	72
PID 2452 wrote to memory of 3060	2452	spoolsv.exe	72
PID 3060 wrote to memory of 2812	3060	cmd.exe	74
PID 3060 wrote to memory of 2812	3060	cmd.exe	74
PID 3060 wrote to memory of 2812	3060	cmd.exe	74
PID 3060 wrote to memory of 2720	3060	cmd.exe	75
PID 3060 wrote to memory of 2720	3060	cmd.exe	75
PID 3060 wrote to memory of 2720	3060	cmd.exe	75
PID 2720 wrote to memory of 1772	2720	spoolsv.exe	76
PID 2720 wrote to memory of 1772	2720	spoolsv.exe	76
PID 2720 wrote to memory of 1772	2720	spoolsv.exe	76
PID 1772 wrote to memory of 3024	1772	cmd.exe	78
PID 1772 wrote to memory of 3024	1772	cmd.exe	78
PID 1772 wrote to memory of 3024	1772	cmd.exe	78
PID 1772 wrote to memory of 1336	1772	cmd.exe	79
PID 1772 wrote to memory of 1336	1772	cmd.exe	79
PID 1772 wrote to memory of 1336	1772	cmd.exe	79
PID 1336 wrote to memory of 2780	1336	spoolsv.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe
"C:\Users\Admin\AppData\Local\Temp\1cc97422529ce3537ca8b8695002b7f6821c3bea6eb026c7000bf1a828154a71.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2644
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2812
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3024
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        12⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2052
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        14⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2768
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        16⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1452
        
        C:\Program Files\DVD Maker\ja-JP\spoolsv.exe
        
        "C:\Program Files\DVD Maker\ja-JP\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d457c4a6e0420a083529345a236e255d

SHA1
752fc400371c9487781fe33ea510e33ff4a48615

SHA256
84dca4fb9fc0b047c60c9ab968267f27eaeb9c75bfc5b6b4e6c6e6eaeffefb2f

SHA512
4fa906ff9c7a06458a7c300b8e4f594f2109c8c6f44232125c9de0a1390ff69eeec38c2d51003722675d5328365081784e937721c1153c177b3f2d0a89d75162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
673a74bd262c0703ab92b5e1e97cd9a0

SHA1
61ba5d7bc8fe9977ab15eb6e8df985d5db392513

SHA256
5695369859a7ac01c888f694ce6285047043c161d28cf62e915ce05b7448bc4d

SHA512
836eacbf933df6859fc2aab6f0c7973f648289828832cd2220fa68b2b88b4a349b3bd31a2fc3abcdc9473c168d0119117d45c10ebd5cfc6e2a7093d14182bc05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29f092e07a341366aa93804ae3105302

SHA1
40115e2329297c7b5db070b81e40bedfe2e6fe73

SHA256
8422fb0cb200b6e73a08365c666f6eb36e4c14ccf6a1c71c713c843531ffe246

SHA512
97eb62a530880866e0ff9534818de5a7ee11875440170455784fe706cfaeb47e8d3dea393193b53e270d3dd010225a2408654a2c4659ee49c33fe620d0cb9e2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce29329e6cb990661e9a327e51a1cff

SHA1
6da0e4d968cbbac0873d6245b1646f791b739dce

SHA256
b6fb6c232a3b5173131d8221ed809d5a86cd94476756658f5eece5018014c3e4

SHA512
0a2176add679ba9be0042fedec51ce1946ce9003c2e817c03ed4dcafc0620264a4e9cab4b05e13b14167f603e2a8ca5dca23b7d08853f6bef8345d07b488ab4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84b6429448b56548bd8905463fa8e058

SHA1
eb611172b2feb32208604c28b435394623048c97

SHA256
ed2056a746c11e590d7c3c9e4db46640952460f481b09e0fdbf42ab405aa367b

SHA512
964deaa2b3dba304271d651525c0008b344fcd5a1e2ff7e2781d1436939ce711b9b8c6da90d607d05cee6bd830dd526fdaba5fb232c2bd5ba53c98351a0bee39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f1032df6b8660e30177dbd310f9d8eb

SHA1
bbf47317deded403a5dba7c315b1f284d1be2523

SHA256
df9a32584759d26fa7f9e96b0cc015f2f47915a81df982eed80ded1a7922c5cd

SHA512
c552af3792ebdd8f068166d1d65883e3d5afb390913ac73f83abb9a0db5a7a75a5be8b6a9adc1d9a788393ae10c358eef914a44b9cc8acf0a60b2601a49b44ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
209B

MD5
eaba6f5b4f545baf1b1e7e4a71bcf12a

SHA1
fe41c24022a2e3d72531da3ad94f2a2109d386c0

SHA256
c7541fec4e5506ad574ac9a921ab4eb52dda1d28b30c9836f13d5dc1ba2e85ff

SHA512
af3031ad250eb1cc92c48123787825c383dd9c4b10c3212b0617c49247c99457f40fd2a66e3230508d06d3d0967c36fb3b8fe060b8b8347286d5c99238bd51f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
209B

MD5
036c960c968ca1fc08a04e30813f5ff2

SHA1
291c9418634c696678106b6d0aa8af09facca7b0

SHA256
b9b266376165aa04bdd200f68614532dda0425baebd2b98bdb4b99209cac4b10

SHA512
10a430c319a974191b8868e6538d41a11dcbad194869281ec7987079334664f9de71f5241e6c71536eac0f98849092fb791f535abd9afd7366b798eaeab753eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
209B

MD5
5e598d80d9e4b28babb093e2ff1125bc

SHA1
0cfb8cbc67f1d967dac11f17d4e21ab01a38aa1d

SHA256
0e61aca1eb3ab3b17f60de72ea1d8d63b9fa917c3d6a875dba424ce7ac675145

SHA512
22bef475363d9ccfd3dae9886bc14cf1e9562b9031f4f9b3a3d595eaf7afe1bc783019b2d772e628d006da479ff8e1ec2b038e588734a80e72020f2788165d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab735E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
209B

MD5
86e4d392e14a833d3b8b470cb951f87e

SHA1
81f3dc96c6fb5743c3ea83ed8ff8e650e603b6ce

SHA256
e359a8e92c3b30098e0ec2c4c8acd27a6d9548a53683695d67f69232249366d8

SHA512
1a100f51847d64a53539580d3bb59184b9e6b2e2fee28c1ae6b8808eaebfcfe134a4515e13edabff8d12408612c61f259a1b0a5acfe43cd094906d7d2bd8ae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
209B

MD5
0d2c3554f722c8b889398e94b521c06c

SHA1
fca52db8236a209f202fd2c107b8a6484ae640c8

SHA256
d50271047a9c665719e8a6ab60ccd3438b9c9e87a79e3a7012188f7cbe4aa423

SHA512
a92ccbf7846c5c1eb9474e431cc70693da18313bb452c22e113e6f1487a44f1f46d53c552dfa7059756ebbd2a8a3ad84a5668e92507f70f5c9b67bfa03cd4f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73FD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
209B

MD5
d7a416a472e40f76bbfb5bd1a45b626a

SHA1
f468ed6c2d653e17eafe6dfcc15fcdda1caa3515

SHA256
4d690e611db0571bb76c40b2687d555a0d3cf05e9cb8f543892ef14682ff5ab8

SHA512
19004df554eba5518f3b871ed2e59919d1bb27cf6b5ec512822b791a4724f11ac60d6999104b3fc1dfd030336cfbd5589f2a8f52183208e044b47e91db530006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGN2E9ZW86BJATMPSXJW.temp

Filesize
7KB

MD5
a2348aa97f47edd0b4d20a6a95e095ca

SHA1
2297884cca87acb299376fe8876e69144f76e5ee

SHA256
bdf23664b6ad8d7ad15860045eb75eb992bfe7333d769ea673f490209288920f

SHA512
f50efe3e67a781f7b417c4262f387605acada5619dcdffae26559c9bc4d536853ae4604db42852c16c55a651f92d90a9a7470ac15aa3f080a4bdeb753e075423

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/548-430-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/824-310-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1336-250-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2096-370-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2224-69-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2328-70-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2328-46-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-68-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2452-129-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2720-189-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2720-190-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2736-14-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2736-15-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2736-13-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2736-16-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download