dcrat | 9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad0b4a4a549230e090d712b5521bd96.exe
Size

3.3MB
MD5

0ad0b4a4a549230e090d712b5521bd96
SHA1

55690e0d976955e80f14c314efcaa34e3303a02b
SHA256

9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429
SHA512

b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027
SSDEEP

49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0ad0b4a4a549230e090d712b5521bd96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

pid	Process
4504	dllhost.exe
5096	dllhost.exe
4008	dllhost.exe
3356	dllhost.exe
1308	dllhost.exe
1836	dllhost.exe
4424	dllhost.exe
996	dllhost.exe
4848	dllhost.exe
1552	dllhost.exe
3704	dllhost.exe
4932	dllhost.exe
2584	dllhost.exe
2460	dllhost.exe
2320	dllhost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\it-IT\e6c9b481da804f	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\explorer.exe	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\7a0fd90576e088	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\backgroundTaskHost.exe	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\dotnet\host\fxr\StartMenuExperienceHost.exe	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\dotnet\host\fxr\55b276f4edf653	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Program Files\Windows Defender\it-IT\OfficeClickToRun.exe	0ad0b4a4a549230e090d712b5521bd96.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfficeClickToRun.exe	0ad0b4a4a549230e090d712b5521bd96.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\lsass.exe	0ad0b4a4a549230e090d712b5521bd96.exe
File created	C:\Windows\Logs\CBS\6203df4a6bafc7	0ad0b4a4a549230e090d712b5521bd96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5008	PING.EXE
4928	PING.EXE
1868	PING.EXE
2824	PING.EXE
4376	PING.EXE
1136	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	0ad0b4a4a549230e090d712b5521bd96.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	dllhost.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4928	PING.EXE
1868	PING.EXE
2824	PING.EXE
4376	PING.EXE
1136	PING.EXE
5008	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe
4740	0ad0b4a4a549230e090d712b5521bd96.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	0ad0b4a4a549230e090d712b5521bd96.exe
Token: SeDebugPrivilege	4504	dllhost.exe
Token: SeDebugPrivilege	5096	dllhost.exe
Token: SeDebugPrivilege	4008	dllhost.exe
Token: SeDebugPrivilege	3356	dllhost.exe
Token: SeDebugPrivilege	1308	dllhost.exe
Token: SeDebugPrivilege	1836	dllhost.exe
Token: SeDebugPrivilege	4424	dllhost.exe
Token: SeDebugPrivilege	996	dllhost.exe
Token: SeDebugPrivilege	4848	dllhost.exe
Token: SeDebugPrivilege	1552	dllhost.exe
Token: SeDebugPrivilege	3704	dllhost.exe
Token: SeDebugPrivilege	4932	dllhost.exe
Token: SeDebugPrivilege	2584	dllhost.exe
Token: SeDebugPrivilege	2460	dllhost.exe
Token: SeDebugPrivilege	2320	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4160	4740	0ad0b4a4a549230e090d712b5521bd96.exe	85
PID 4740 wrote to memory of 4160	4740	0ad0b4a4a549230e090d712b5521bd96.exe	85
PID 4160 wrote to memory of 1152	4160	cmd.exe	87
PID 4160 wrote to memory of 1152	4160	cmd.exe	87
PID 4160 wrote to memory of 3152	4160	cmd.exe	88
PID 4160 wrote to memory of 3152	4160	cmd.exe	88
PID 4160 wrote to memory of 4504	4160	cmd.exe	93
PID 4160 wrote to memory of 4504	4160	cmd.exe	93
PID 4504 wrote to memory of 4592	4504	dllhost.exe	98
PID 4504 wrote to memory of 4592	4504	dllhost.exe	98
PID 4592 wrote to memory of 4416	4592	cmd.exe	100
PID 4592 wrote to memory of 4416	4592	cmd.exe	100
PID 4592 wrote to memory of 3592	4592	cmd.exe	101
PID 4592 wrote to memory of 3592	4592	cmd.exe	101
PID 4592 wrote to memory of 5096	4592	cmd.exe	104
PID 4592 wrote to memory of 5096	4592	cmd.exe	104
PID 5096 wrote to memory of 2296	5096	dllhost.exe	105
PID 5096 wrote to memory of 2296	5096	dllhost.exe	105
PID 2296 wrote to memory of 2680	2296	cmd.exe	107
PID 2296 wrote to memory of 2680	2296	cmd.exe	107
PID 2296 wrote to memory of 4928	2296	cmd.exe	108
PID 2296 wrote to memory of 4928	2296	cmd.exe	108
PID 2296 wrote to memory of 4008	2296	cmd.exe	109
PID 2296 wrote to memory of 4008	2296	cmd.exe	109
PID 4008 wrote to memory of 2872	4008	dllhost.exe	111
PID 4008 wrote to memory of 2872	4008	dllhost.exe	111
PID 2872 wrote to memory of 2184	2872	cmd.exe	113
PID 2872 wrote to memory of 2184	2872	cmd.exe	113
PID 2872 wrote to memory of 3068	2872	cmd.exe	114
PID 2872 wrote to memory of 3068	2872	cmd.exe	114
PID 2872 wrote to memory of 3356	2872	cmd.exe	116
PID 2872 wrote to memory of 3356	2872	cmd.exe	116
PID 3356 wrote to memory of 4432	3356	dllhost.exe	117
PID 3356 wrote to memory of 4432	3356	dllhost.exe	117
PID 4432 wrote to memory of 3948	4432	cmd.exe	119
PID 4432 wrote to memory of 3948	4432	cmd.exe	119
PID 4432 wrote to memory of 1868	4432	cmd.exe	120
PID 4432 wrote to memory of 1868	4432	cmd.exe	120
PID 4432 wrote to memory of 1308	4432	cmd.exe	122
PID 4432 wrote to memory of 1308	4432	cmd.exe	122
PID 1308 wrote to memory of 4420	1308	dllhost.exe	123
PID 1308 wrote to memory of 4420	1308	dllhost.exe	123
PID 4420 wrote to memory of 1956	4420	cmd.exe	125
PID 4420 wrote to memory of 1956	4420	cmd.exe	125
PID 4420 wrote to memory of 2824	4420	cmd.exe	126
PID 4420 wrote to memory of 2824	4420	cmd.exe	126
PID 4420 wrote to memory of 1836	4420	cmd.exe	127
PID 4420 wrote to memory of 1836	4420	cmd.exe	127
PID 1836 wrote to memory of 2712	1836	dllhost.exe	128
PID 1836 wrote to memory of 2712	1836	dllhost.exe	128
PID 2712 wrote to memory of 2200	2712	cmd.exe	130
PID 2712 wrote to memory of 2200	2712	cmd.exe	130
PID 2712 wrote to memory of 3592	2712	cmd.exe	131
PID 2712 wrote to memory of 3592	2712	cmd.exe	131
PID 2712 wrote to memory of 4424	2712	cmd.exe	132
PID 2712 wrote to memory of 4424	2712	cmd.exe	132
PID 4424 wrote to memory of 4136	4424	dllhost.exe	134
PID 4424 wrote to memory of 4136	4424	dllhost.exe	134
PID 4136 wrote to memory of 3740	4136	cmd.exe	136
PID 4136 wrote to memory of 3740	4136	cmd.exe	136
PID 4136 wrote to memory of 4376	4136	cmd.exe	137
PID 4136 wrote to memory of 4376	4136	cmd.exe	137
PID 4136 wrote to memory of 996	4136	cmd.exe	138
PID 4136 wrote to memory of 996	4136	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\0ad0b4a4a549230e090d712b5521bd96.exe
"C:\Users\Admin\AppData\Local\Temp\0ad0b4a4a549230e090d712b5521bd96.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWVOVUe3F2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3152
- - C:\Users\Default User\dllhost.exe
    "C:\Users\Default User\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cKRKTUVm6f.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4416
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3592
    - - C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2GcGAitDf4.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OOZt0Q8yJv.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3068
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2GcGAitDf4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3592
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xKIkDfuouO.bat"
        18⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2072
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W8Ig2gXV94.bat"
        20⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:348
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat"
        22⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4036
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"
        24⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2428
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mzBmoeLRKc.bat"
        26⤵
        
        PID:3164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1472
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat"
        28⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2vzlDYcv1s.bat"
        30⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Users\Default User\dllhost.exe
        
        "C:\Users\Default User\dllhost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2GcGAitDf4.bat

Filesize
161B

MD5
bc916c71b49b67af86fab9e1952f3c6e

SHA1
e541617810552277c0736eeea6ef68c30764e01a

SHA256
d47ed638da30a611572fad1b9e20e5c192de3dcab3946e41fe2c83d19a91769c

SHA512
7a112beb39f8830d74a5486cb39afb57a81f094eae6bf42457afc931989dc19d1f57622a174ebe85937b15a510654e94eead2bc90c1240c0e3a3703407f1ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vzlDYcv1s.bat

Filesize
161B

MD5
e8b163e231c12811902ff12950ba420b

SHA1
5ffbc73f2d4ed3cbcaa8d7745743b5db9ad7e4db

SHA256
636e54919ffd2ac12164eb0cfcec0eb11f10f7408e95db516babe2dec7bcdcd3

SHA512
6aef1f5a40ef003ff2d76f2cccc782dd233c416d72adc58be63ef2e32e304b788be1c577082999a7f6f3cb8e153e5301069406b259990c1dd7bf938d9b18ae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kHW8Esv2t.bat

Filesize
209B

MD5
c66c7deae7bbaa7c741ec7764cd3a88a

SHA1
bd0fb07efd4f10882c42a8463e97b7296d511857

SHA256
9c0b925b417d1eaa9c048121f5878fc80fce8476b685da805b7ac39b437ab487

SHA512
5464e6205f37d07c6894e249ea984fc3d6c6f4584c6cb54b1a8a0e31f3671a3220deeb13138ffba6daedfc1232440013e4791345b5b434b63d26dedb5419f6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOZt0Q8yJv.bat

Filesize
209B

MD5
6ad0d45480075da7ea78c786bdcb4709

SHA1
42322ec76c17711ed2aa5342efaa12ac83b2a2b9

SHA256
380d826cc243831cc0e1b7e6cccc096570831a7f1bf8da37214856ec120ae0f4

SHA512
bef5ccda657a8e00c6642f37ba3417e437bdf47a85e5a642852c50ce8e67cab987a7549f85682a3e946c53eea498e7a00f787ee06cc2c545d56f7f66e6bb3388

Download Submit
C:\Users\Admin\AppData\Local\Temp\W8Ig2gXV94.bat

Filesize
209B

MD5
fbc0c191f4f6617a4441ea9b202baab5

SHA1
ed7457833191e76620352c954b9b9c6b6faf16d1

SHA256
7b8fa2a2274fd6934335f2186cf1a944e2cc14db71ca976532de4adf97962f30

SHA512
470a126714c3bf3825238d62f429425f6ec148ec94ca2939c15b71c8fc86182bb7acba525666609f34e870058aa6613f96586fb605a2c6d339bcf0dd4f339548

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWVOVUe3F2.bat

Filesize
209B

MD5
ca0ae5a6072fdc5badc3e7b51196fcbc

SHA1
a7c5257bde01992a947c5b2e253534f62ee74fe6

SHA256
ea641f0dcfb077f64494f7025b4521ec0035f3d350d6919b2cc923c533c8a4d9

SHA512
06a9f5ffc8d76723cda5a9f5b13a693c7dc746834e77e08009599b07fb9a8c53562326ed461bf05e518298cb79ba4b382d7b1cf6373b5b882373b5a7c0d5b11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKRKTUVm6f.bat

Filesize
209B

MD5
d56e3e6f681de899b677d61b0681c1fb

SHA1
58d5260477adc8380d860c11a495f3752fb72c86

SHA256
cfd53073e1642576aac52437ef59831e3f09264e5575cd4656bbc97e0b97325b

SHA512
448d1f4985fc266598455bdf354d748960ad1bbe4eef1c4159fae1816368af79dd3a95fe42310518bed12a3eb4787d2c6dc8b40f266d93d64314ab5888c01865

Download Submit
C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat

Filesize
161B

MD5
2ce0ac8955d6c2e507c6afb583fab381

SHA1
d71873d790109942b09e9f1bc10d0918b0b9e2d8

SHA256
6d03e5c0c02ab06370c08bd2b77f9d99a997ef9416cd1e9fafb9dae9cc31a2eb

SHA512
288a0da61effb03d9ff2b2f6fb57bc5b72030a38650b4af4e7c4cbcde2923e42487a7dbce285baf318fe7d674d1d6084c60194e7d0cca0a1f8e225bfa4137744

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2sGrcN1Zw.bat

Filesize
209B

MD5
79b26bb979b0f98bb420361114c44f6a

SHA1
5ef49629c7629ce53dc641a8774e3cf1d5816afd

SHA256
8a7a032874fdf9a9de9e0a6a5a3761ac9584effddf90c8ca9f03f412044c0bad

SHA512
b0ed0b2db9fbc6d7892ce6c631d128b1469b2063f44558a1c8d2f7b80292dc5d7a06ddfbcb9071415f9bf4c60ad2961e31bbfa0b2b817ee42158d6035683523c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat

Filesize
161B

MD5
88b1c30d80e0db91366e8593e45170f2

SHA1
37c2d21f67113245a3cdcb3e07472af0a2e5bffa

SHA256
a23e02ceb9b633dae9ddea9e2aad04e8307f60e51328404ebba835ce24cf2113

SHA512
a913a406e76c3f2ae46d71ef5cb1c5fb3756bcb089e0d27ae1f183e4f0f08b4f8368397eee4a8d15f428b40b92977504ecb87d619164c38e0dbd9aa34c589b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzBmoeLRKc.bat

Filesize
209B

MD5
991166a01caeda7d32464c7281afa9d8

SHA1
ea7921d5454a94f5adfb515f9ac925dc3e607305

SHA256
b969d9ab0e604c9a5ae277523e4ac97da440b3dd31d42030462775a03f85e2d8

SHA512
f3fcf53ce683520009859e3db62a490028b468ab9fd1d8889002028e883a407bf10a03bc428824b4086cf04f7beb6e4aff3994f3ede5acd0df89b2cb814ab286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat

Filesize
209B

MD5
e50cab975083ac5b5edb3f4f09e70810

SHA1
8ef243d0649bdd4486913d82bb657e60d7392567

SHA256
ee345c427d39a2fa4ea1dd839c3ba934db8100d6688aae1b5f36c6fa18dcbab2

SHA512
e1e1700028f7a67c00535b49d245c823b0f7c49b5a57a85e5112bc011ee1f23d44cedd3168afbcebcf6e5247bf83f67f8b08ae5304005a0da46e7eb611ab3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat

Filesize
161B

MD5
50df14cbe04d624081e3f5f5b46cdd13

SHA1
0a58b23220401a7a5a5376bd6e3976852ef6b648

SHA256
5e3ae7d38162243ef362652003577284cab4f21c8eed6e6f40e6423e0a4d5415

SHA512
7edcacedfe296d27a7482788ff198592d11c5e02c340f7c479462a1fa6a2aefa181d7dd86ad2a0fb887e7bd95ba614731edfb13626ae2a7d9c78b3d8117e1cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKIkDfuouO.bat

Filesize
209B

MD5
45e3d4a7614fc1e770e6b73b25b59c97

SHA1
3f54afb3a515826c27ed34f43fd4e0c7c2c9a68f

SHA256
02adc8c0a741c3b31709ab71dc4f27a0b1ff1be021ac9557590c2c443728c22b

SHA512
13b177174a8e1bc2461ea9482d69909ca26d086a5d9b69294c292421d04c3b39475fb1d725ef5162aa93abdd27e7243bebf17864a0a936f8f3c04c3291cd34cc

Download Submit
C:\Users\Default\dllhost.exe

Filesize
3.3MB

MD5
0ad0b4a4a549230e090d712b5521bd96

SHA1
55690e0d976955e80f14c314efcaa34e3303a02b

SHA256
9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

SHA512
b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027

Download Submit
memory/4008-141-0x000000001CB10000-0x000000001CC12000-memory.dmp

Filesize
1.0MB

Download
memory/4740-19-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download
memory/4740-66-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-28-0x000000001D3E0000-0x000000001D908000-memory.dmp

Filesize
5.2MB

Download
memory/4740-37-0x000000001CEB0000-0x000000001CF0A000-memory.dmp

Filesize
360KB

Download
memory/4740-35-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/4740-38-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-33-0x000000001B850000-0x000000001B860000-memory.dmp

Filesize
64KB

Download
memory/4740-40-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/4740-44-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/4740-46-0x000000001CF10000-0x000000001CF5E000-memory.dmp

Filesize
312KB

Download
memory/4740-42-0x000000001BA80000-0x000000001BA8E000-memory.dmp

Filesize
56KB

Download
memory/4740-31-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-30-0x000000001B840000-0x000000001B84E000-memory.dmp

Filesize
56KB

Download
memory/4740-48-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-55-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-25-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-63-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-24-0x000000001B8C0000-0x000000001B8D6000-memory.dmp

Filesize
88KB

Download
memory/4740-27-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

Filesize
72KB

Download
memory/4740-21-0x000000001B8A0000-0x000000001B8B2000-memory.dmp

Filesize
72KB

Download
memory/4740-22-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-1-0x00000000008A0000-0x0000000000BE6000-memory.dmp

Filesize
3.3MB

Download
memory/4740-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/4740-17-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/4740-10-0x00000000013C0000-0x00000000013CE000-memory.dmp

Filesize
56KB

Download
memory/4740-13-0x000000001BA10000-0x000000001BA60000-memory.dmp

Filesize
320KB

Download
memory/4740-15-0x000000001B880000-0x000000001B898000-memory.dmp

Filesize
96KB

Download
memory/4740-12-0x000000001B860000-0x000000001B87C000-memory.dmp

Filesize
112KB

Download
memory/4740-8-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-7-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-6-0x0000000002D10000-0x0000000002D36000-memory.dmp

Filesize
152KB

Download
memory/4740-4-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-3-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-117-0x000000001C720000-0x000000001C822000-memory.dmp

Filesize
1.0MB

Download