dcrat | 9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Size

3.3MB
MD5

0ad0b4a4a549230e090d712b5521bd96
SHA1

55690e0d976955e80f14c314efcaa34e3303a02b
SHA256

9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429
SHA512

b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027
SSDEEP

49152:dvE7aj/zSltwCUFFINtKAh/tIBs2htYmMoxqSeU843FULbiGLSkGHuIB6MlwALMV:9FzPFFIv7h/KVWYxVeE+i1FOIB6Mmkw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 12 IoCs

pid	Process
2396	audiodg.exe
1676	audiodg.exe
2032	audiodg.exe
2664	audiodg.exe
1380	audiodg.exe
828	audiodg.exe
1720	audiodg.exe
2360	audiodg.exe
2356	audiodg.exe
2576	audiodg.exe
1580	audiodg.exe
2648	audiodg.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\42af1c969fbb7b	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1832	PING.EXE
1696	PING.EXE
1608	PING.EXE
1236	PING.EXE
1268	PING.EXE
1724	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1236	PING.EXE
1268	PING.EXE
1724	PING.EXE
1832	PING.EXE
1696	PING.EXE
1608	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
Token: SeDebugPrivilege	2396	audiodg.exe
Token: SeDebugPrivilege	1676	audiodg.exe
Token: SeDebugPrivilege	2032	audiodg.exe
Token: SeDebugPrivilege	2664	audiodg.exe
Token: SeDebugPrivilege	1380	audiodg.exe
Token: SeDebugPrivilege	828	audiodg.exe
Token: SeDebugPrivilege	1720	audiodg.exe
Token: SeDebugPrivilege	2360	audiodg.exe
Token: SeDebugPrivilege	2356	audiodg.exe
Token: SeDebugPrivilege	2576	audiodg.exe
Token: SeDebugPrivilege	1580	audiodg.exe
Token: SeDebugPrivilege	2648	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2996	3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe	30
PID 3028 wrote to memory of 2996	3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe	30
PID 3028 wrote to memory of 2996	3028	9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe	30
PID 2996 wrote to memory of 1560	2996	cmd.exe	32
PID 2996 wrote to memory of 1560	2996	cmd.exe	32
PID 2996 wrote to memory of 1560	2996	cmd.exe	32
PID 2996 wrote to memory of 1752	2996	cmd.exe	33
PID 2996 wrote to memory of 1752	2996	cmd.exe	33
PID 2996 wrote to memory of 1752	2996	cmd.exe	33
PID 2996 wrote to memory of 2396	2996	cmd.exe	34
PID 2996 wrote to memory of 2396	2996	cmd.exe	34
PID 2996 wrote to memory of 2396	2996	cmd.exe	34
PID 2396 wrote to memory of 1772	2396	audiodg.exe	36
PID 2396 wrote to memory of 1772	2396	audiodg.exe	36
PID 2396 wrote to memory of 1772	2396	audiodg.exe	36
PID 1772 wrote to memory of 2264	1772	cmd.exe	38
PID 1772 wrote to memory of 2264	1772	cmd.exe	38
PID 1772 wrote to memory of 2264	1772	cmd.exe	38
PID 1772 wrote to memory of 1728	1772	cmd.exe	39
PID 1772 wrote to memory of 1728	1772	cmd.exe	39
PID 1772 wrote to memory of 1728	1772	cmd.exe	39
PID 1772 wrote to memory of 1676	1772	cmd.exe	40
PID 1772 wrote to memory of 1676	1772	cmd.exe	40
PID 1772 wrote to memory of 1676	1772	cmd.exe	40
PID 1676 wrote to memory of 1556	1676	audiodg.exe	41
PID 1676 wrote to memory of 1556	1676	audiodg.exe	41
PID 1676 wrote to memory of 1556	1676	audiodg.exe	41
PID 1556 wrote to memory of 1780	1556	cmd.exe	43
PID 1556 wrote to memory of 1780	1556	cmd.exe	43
PID 1556 wrote to memory of 1780	1556	cmd.exe	43
PID 1556 wrote to memory of 2724	1556	cmd.exe	44
PID 1556 wrote to memory of 2724	1556	cmd.exe	44
PID 1556 wrote to memory of 2724	1556	cmd.exe	44
PID 1556 wrote to memory of 2032	1556	cmd.exe	45
PID 1556 wrote to memory of 2032	1556	cmd.exe	45
PID 1556 wrote to memory of 2032	1556	cmd.exe	45
PID 2032 wrote to memory of 2272	2032	audiodg.exe	46
PID 2032 wrote to memory of 2272	2032	audiodg.exe	46
PID 2032 wrote to memory of 2272	2032	audiodg.exe	46
PID 2272 wrote to memory of 1600	2272	cmd.exe	48
PID 2272 wrote to memory of 1600	2272	cmd.exe	48
PID 2272 wrote to memory of 1600	2272	cmd.exe	48
PID 2272 wrote to memory of 1608	2272	cmd.exe	49
PID 2272 wrote to memory of 1608	2272	cmd.exe	49
PID 2272 wrote to memory of 1608	2272	cmd.exe	49
PID 2272 wrote to memory of 2664	2272	cmd.exe	50
PID 2272 wrote to memory of 2664	2272	cmd.exe	50
PID 2272 wrote to memory of 2664	2272	cmd.exe	50
PID 2664 wrote to memory of 2996	2664	audiodg.exe	51
PID 2664 wrote to memory of 2996	2664	audiodg.exe	51
PID 2664 wrote to memory of 2996	2664	audiodg.exe	51
PID 2996 wrote to memory of 2276	2996	cmd.exe	53
PID 2996 wrote to memory of 2276	2996	cmd.exe	53
PID 2996 wrote to memory of 2276	2996	cmd.exe	53
PID 2996 wrote to memory of 1236	2996	cmd.exe	54
PID 2996 wrote to memory of 1236	2996	cmd.exe	54
PID 2996 wrote to memory of 1236	2996	cmd.exe	54
PID 2996 wrote to memory of 1380	2996	cmd.exe	55
PID 2996 wrote to memory of 1380	2996	cmd.exe	55
PID 2996 wrote to memory of 1380	2996	cmd.exe	55
PID 1380 wrote to memory of 1820	1380	audiodg.exe	56
PID 1380 wrote to memory of 1820	1380	audiodg.exe	56
PID 1380 wrote to memory of 1820	1380	audiodg.exe	56
PID 1820 wrote to memory of 596	1820	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe
"C:\Users\Admin\AppData\Local\Temp\9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BQrP1Q2nBd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1560
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1752
- - C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2264
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1728
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uhjF8j8k7U.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cAX6N4jPhb.bat"
        14⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRBFrjfuSR.bat"
        16⤵
        
        PID:1488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat"
        18⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
        20⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CRpzSJfEpm.bat"
        22⤵
        
        PID:1092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        24⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\audiodg.exe

Filesize
3.3MB

MD5
0ad0b4a4a549230e090d712b5521bd96

SHA1
55690e0d976955e80f14c314efcaa34e3303a02b

SHA256
9882ee185d8d4db2a86040b7e3c7687cef737470f2a7b5c88868e80880cbd429

SHA512
b689ab2b7e3a59f760d3c6cb3b72927e3dc0eb9323aceb05c2571ca85863fc769098924b943e6e80edb1853c348451869996fd4c38a7dd10dc8e2970e5d4d027

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQrP1Q2nBd.bat

Filesize
231B

MD5
a7af9d0f95e3a731b06db7451734c504

SHA1
b2632cf6d7b1aaaae5ecebf3ba18aae83fcddcb7

SHA256
d9def0f7a4fed1325c6ec19dcf325cb77899136cd70a4021a21bba78a55c5eee

SHA512
ee8dbf497668f9f7bfe96597845f10ab7bee7472540cb4eccef8f6ebf39c7e3d1d953303ba4ab189f657b13e746113c0eb1b43656c39e1e565815a2bc71707eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRpzSJfEpm.bat

Filesize
231B

MD5
7190ac9faeec588e536fe20c5fe5af81

SHA1
fc3ae0ef9aef4c1f8c3f4e34d612bd5bc94af195

SHA256
c872a6b650504a306edba6aeb100b6de4c5a711dec29891e4ea4beafe4c8d698

SHA512
fd5fe28ef2251b76abaf2fb7ef9b9dde48fc97d7fc0a92d18264df016dea9893d3e78c6033ead44d182c891086b71e06f4d90a5f8e2c8043f66a721dd5d44c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat

Filesize
183B

MD5
e3c29e959b15db4fa327ee72279e34fc

SHA1
96488ca8bd4f2516e945a8c0ad239db3742e8181

SHA256
21da52917f0bc439051dc27f802e31ab52cc194bdf69e3df34b16977631a9a4b

SHA512
4e4017f4f388ae153cf408d9d18cad5b861afd1138a7c145e0a7bf7c23a18e157260a692889e124af0732cc9d2cd6de4964e57ff95b7d16ea9643763ca37ae9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat

Filesize
231B

MD5
02e90011f9f3af9f22e0b498f46ad39e

SHA1
2e001cc8349e511680e5e22f42e76b7d5dceab94

SHA256
a00492f00bc76edd6c490dea53234050a6891f304b6438e204ac5a3203bf8939

SHA512
a0fd86c40b740c497e5c7d6883b884d84b67dee0a56c2e18399cdecbf06a136c4bfdbf7a1b3cff2aeaf4e1ac641bc6fe02cc17f828ad83d7e121da40e1b6ae17

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAX6N4jPhb.bat

Filesize
183B

MD5
7a3f623c149ce6725c6dbb4a062e5418

SHA1
929be9589f6a51534c645164dac8bc9e07014379

SHA256
33b116be87dc55d49d1b5c4f4db1e6f7a4072535d47e3f93a0f8bd1ed0ad83df

SHA512
b889b5f4d29fed573fca7385847469e847e83ecf57d374be8c76c2b32d21dab819b5c60e6b7d33280ba6edc5981f8fba97639a8e07c5ad33544c47002ecebcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRBFrjfuSR.bat

Filesize
183B

MD5
4bb819f51cbe5179109c4616c74ccb58

SHA1
47f7a5854634d244ec84ccbeb4a18e3b6d57610b

SHA256
80bfa4f53c1495b8bffabb312bea641a91617f892d94a43aef1062207d19bb08

SHA512
855333255d3111262275cbce0b0879a2d467810c4ddac6c3d282da8a639fab3e2f19ad1fa346d9b7d0042c672983af868e86b8830da4bfd8a32e3e639c1de793

Download Submit
C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat

Filesize
183B

MD5
453db8090333eb17b434ab1ed065c92c

SHA1
a89a25b827b9b56655eb73d56cf711dd7fb339d3

SHA256
a4d16e3226d5b17c81bf921c3d212ce3fc143805ac6e9702607d08d0203ec5f7

SHA512
dd04dfa8ad6b2a8daf7b0300f332c9c1aedbc3b9ea5e44497c49740e8f0f2dac49cbba83d49d69e9681b491694fa85e61e268634620f9262ef58367ee29eab89

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat

Filesize
231B

MD5
b64520e27c29773db6f02b9021b08454

SHA1
2fc94e05c8576cda2ce3e220534235429824444d

SHA256
e52e56f9cf2e0b2aff986fe3aa12811599c65527ff0a96897543a5bd551c5fe7

SHA512
03cb274a245ad5957bd6942f908fc9e9cef3a5e1f249f09521763a61654f6ee34a880f3d4080e3e606687dc7525518dc18c6fc49f651e0fff9b9e90a9aaeb4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
231B

MD5
2018a306c3de1bb5587bc550f8fd50de

SHA1
e6ef379be018a0847f629a111ae15a74525804f0

SHA256
09527f1c88cdb9bac15ad22754338a08540caccf6db431787c2976a4c436084e

SHA512
3e0311f41a48b28d1644ac637bf4a7466766f93759195101a13f65b813238db27618d788b1607ddb82a9fcbf7ee640780c065eccc33e5fc4bb8f01c4850207ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat

Filesize
183B

MD5
08fdb76c22b45acbea02756e1c0e1f6a

SHA1
b2d8c93c1ac953ad1ad727687d008f9d1a0cd91c

SHA256
2f805fe06b76d47593ab1077628336cbcc851535565d4bdb77e95eb532bc1e3d

SHA512
42a98793885587ec236603640079bd6f0531e1761707be3971a9e857b6b0cf54eaca84b318cdc96b2cef7c78d88bb81a380e06f426e0da834d7e6e774e68f5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat

Filesize
183B

MD5
01aa6b0c6aeaecf9d9286bb1d1e5304e

SHA1
5ec1c483f74df7f80205cace35218797599067be

SHA256
4da9316be7973354dfcf82dc9a965a6ebdfbc79d6ebd4272cf669c61a431a920

SHA512
4b855ba4c318d894d83f82731284bb6280ad15371d72bb8d48cdec31f090ee19e81fc581b8648680bfc4a4fc5f4938d83cd7b827fce545b1e4eb5206ef1dc5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhjF8j8k7U.bat

Filesize
231B

MD5
740da5350389fce40eeb5d5a9f575bf2

SHA1
6418a39cdbe742ceb73c28c32fd57b276d8902fc

SHA256
08f8dcaa3877b7382cbbd4084592c22ac59e682e3406e00b822ba8077b717642

SHA512
11e2853b02999d31627e4eb9e46f085fb5ce95bf2880e1351a2083f912a1006995f74ff86a65ab46822c040527b357ec721e184931a289304201600f979f82b6

Download Submit
memory/828-183-0x0000000000360000-0x00000000006A6000-memory.dmp

Filesize
3.3MB

Download
memory/1676-89-0x0000000000C10000-0x0000000000F56000-memory.dmp

Filesize
3.3MB

Download
memory/1720-207-0x0000000000880000-0x0000000000BC6000-memory.dmp

Filesize
3.3MB

Download
memory/2356-255-0x0000000001230000-0x0000000001576000-memory.dmp

Filesize
3.3MB

Download
memory/2360-231-0x0000000000BD0000-0x0000000000F16000-memory.dmp

Filesize
3.3MB

Download
memory/2396-65-0x0000000000A50000-0x0000000000D96000-memory.dmp

Filesize
3.3MB

Download
memory/2648-325-0x0000000000200000-0x0000000000546000-memory.dmp

Filesize
3.3MB

Download
memory/2664-136-0x0000000000ED0000-0x0000000001216000-memory.dmp

Filesize
3.3MB

Download
memory/3028-21-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/3028-19-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-38-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/3028-39-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-41-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/3028-43-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/3028-45-0x000000001AB10000-0x000000001AB5E000-memory.dmp

Filesize
312KB

Download
memory/3028-34-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-61-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-33-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/3028-31-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/3028-29-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/3028-27-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-26-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-25-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/3028-36-0x00000000025A0000-0x00000000025FA000-memory.dmp

Filesize
360KB

Download
memory/3028-23-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/3028-0-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/3028-16-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/3028-14-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/3028-12-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/3028-10-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/3028-8-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-7-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-6-0x0000000000580000-0x00000000005A6000-memory.dmp

Filesize
152KB

Download
memory/3028-4-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-3-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-2-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-1-0x0000000000B90000-0x0000000000ED6000-memory.dmp

Filesize
3.3MB

Download