dcrat | 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Size

3.5MB
MD5

6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1

0eba0dd22b3f5053798eba26e027ef7383602774
SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512

f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP

98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 11 IoCs

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2188	lsm.exe
2420	lsm.exe
752	lsm.exe
2148	lsm.exe
2700	lsm.exe
2436	lsm.exe
3028	lsm.exe
2064	lsm.exe
2396	lsm.exe
2656	lsm.exe
2400	lsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2660	PING.EXE
2776	PING.EXE
2468	PING.EXE
1604	PING.EXE
2644	PING.EXE
2444	PING.EXE
1716	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1716	PING.EXE
2660	PING.EXE
2776	PING.EXE
2468	PING.EXE
1604	PING.EXE
2644	PING.EXE
2444	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

pid	Process
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	pid	Process
Token: SeDebugPrivilege	1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2188	lsm.exe
Token: SeDebugPrivilege	2420	lsm.exe
Token: SeDebugPrivilege	752	lsm.exe
Token: SeDebugPrivilege	2148	lsm.exe
Token: SeDebugPrivilege	2700	lsm.exe
Token: SeDebugPrivilege	2436	lsm.exe
Token: SeDebugPrivilege	3028	lsm.exe
Token: SeDebugPrivilege	2064	lsm.exe
Token: SeDebugPrivilege	2396	lsm.exe
Token: SeDebugPrivilege	2656	lsm.exe
Token: SeDebugPrivilege	2400	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exelsm.execmd.exelsm.execmd.exelsm.execmd.exelsm.execmd.exelsm.execmd.exe

description	pid	Process	procid_target
PID 1908 wrote to memory of 2952	1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	30
PID 1908 wrote to memory of 2952	1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	30
PID 1908 wrote to memory of 2952	1908	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	30
PID 2952 wrote to memory of 2748	2952	cmd.exe	32
PID 2952 wrote to memory of 2748	2952	cmd.exe	32
PID 2952 wrote to memory of 2748	2952	cmd.exe	32
PID 2952 wrote to memory of 2776	2952	cmd.exe	33
PID 2952 wrote to memory of 2776	2952	cmd.exe	33
PID 2952 wrote to memory of 2776	2952	cmd.exe	33
PID 2952 wrote to memory of 2188	2952	cmd.exe	35
PID 2952 wrote to memory of 2188	2952	cmd.exe	35
PID 2952 wrote to memory of 2188	2952	cmd.exe	35
PID 2188 wrote to memory of 1368	2188	lsm.exe	37
PID 2188 wrote to memory of 1368	2188	lsm.exe	37
PID 2188 wrote to memory of 1368	2188	lsm.exe	37
PID 1368 wrote to memory of 2196	1368	cmd.exe	39
PID 1368 wrote to memory of 2196	1368	cmd.exe	39
PID 1368 wrote to memory of 2196	1368	cmd.exe	39
PID 1368 wrote to memory of 2468	1368	cmd.exe	40
PID 1368 wrote to memory of 2468	1368	cmd.exe	40
PID 1368 wrote to memory of 2468	1368	cmd.exe	40
PID 1368 wrote to memory of 2420	1368	cmd.exe	41
PID 1368 wrote to memory of 2420	1368	cmd.exe	41
PID 1368 wrote to memory of 2420	1368	cmd.exe	41
PID 2420 wrote to memory of 616	2420	lsm.exe	42
PID 2420 wrote to memory of 616	2420	lsm.exe	42
PID 2420 wrote to memory of 616	2420	lsm.exe	42
PID 616 wrote to memory of 1880	616	cmd.exe	44
PID 616 wrote to memory of 1880	616	cmd.exe	44
PID 616 wrote to memory of 1880	616	cmd.exe	44
PID 616 wrote to memory of 2056	616	cmd.exe	45
PID 616 wrote to memory of 2056	616	cmd.exe	45
PID 616 wrote to memory of 2056	616	cmd.exe	45
PID 616 wrote to memory of 752	616	cmd.exe	46
PID 616 wrote to memory of 752	616	cmd.exe	46
PID 616 wrote to memory of 752	616	cmd.exe	46
PID 752 wrote to memory of 2216	752	lsm.exe	47
PID 752 wrote to memory of 2216	752	lsm.exe	47
PID 752 wrote to memory of 2216	752	lsm.exe	47
PID 2216 wrote to memory of 1608	2216	cmd.exe	49
PID 2216 wrote to memory of 1608	2216	cmd.exe	49
PID 2216 wrote to memory of 1608	2216	cmd.exe	49
PID 2216 wrote to memory of 1604	2216	cmd.exe	50
PID 2216 wrote to memory of 1604	2216	cmd.exe	50
PID 2216 wrote to memory of 1604	2216	cmd.exe	50
PID 2216 wrote to memory of 2148	2216	cmd.exe	51
PID 2216 wrote to memory of 2148	2216	cmd.exe	51
PID 2216 wrote to memory of 2148	2216	cmd.exe	51
PID 2148 wrote to memory of 2100	2148	lsm.exe	52
PID 2148 wrote to memory of 2100	2148	lsm.exe	52
PID 2148 wrote to memory of 2100	2148	lsm.exe	52
PID 2100 wrote to memory of 2616	2100	cmd.exe	54
PID 2100 wrote to memory of 2616	2100	cmd.exe	54
PID 2100 wrote to memory of 2616	2100	cmd.exe	54
PID 2100 wrote to memory of 2644	2100	cmd.exe	55
PID 2100 wrote to memory of 2644	2100	cmd.exe	55
PID 2100 wrote to memory of 2644	2100	cmd.exe	55
PID 2100 wrote to memory of 2700	2100	cmd.exe	56
PID 2100 wrote to memory of 2700	2100	cmd.exe	56
PID 2100 wrote to memory of 2700	2100	cmd.exe	56
PID 2700 wrote to memory of 1772	2700	lsm.exe	57
PID 2700 wrote to memory of 1772	2700	lsm.exe	57
PID 2700 wrote to memory of 1772	2700	lsm.exe	57
PID 1772 wrote to memory of 2136	1772	cmd.exe	59

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fXNYKeC8BB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2748
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2776
- - C:\Users\Default\lsm.exe
    "C:\Users\Default\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2196
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
    - - C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzP9pAsQzT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2056
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat"
        14⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        16⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1308
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat"
        18⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat"
        20⤵
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2184
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat"
        22⤵
        
        PID:428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1316
        
        C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe

Filesize
3.5MB

MD5
6c5f6433bae4cbf3dc2d1fd40b716b08

SHA1
0eba0dd22b3f5053798eba26e027ef7383602774

SHA256
9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

SHA512
f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
200B

MD5
93c95b82d4ee5fe8a71d9072a4c75663

SHA1
25b91fa9d9873d41ddb323d9d4a097e36179ceca

SHA256
b5074b6e22b93ff0d7a709bcbcaae16225b08c7abd0363fb67700bdb82052746

SHA512
ff563b36af2f8e8f4e292d2f32a6c7dfcbbc7fa4b7db19794f1361b2f95d62dc332fc586eb1308820de87644d7f32efd4891864a1f50ddc25e6dc483ebe75e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat

Filesize
152B

MD5
267dd78bf29a1b17e6f178e3ef412f23

SHA1
095c8043bbd1225df52217cb7cfdfa61255d9f60

SHA256
f680987325714b7488ac7da6abae7a0c84bbeefc05cf91f9330dd9d10ff2ac3e

SHA512
d5e2125145c1169670874fc706707d4947895795c24fc1c7fd08ccc8ee28794f1532f7e6e68fa05087d64d27cfa74653161af8d58e1d4d34866eddfd5c5b067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat

Filesize
152B

MD5
39ebc4d759b0230d5f1578ac89a10660

SHA1
00c6e1da239a6173d5de4685fa7880b6055c122b

SHA256
00062765c09df28ae5a10f72549b16607ea076d3956659170c0ba0c9608e1d3e

SHA512
d12d4aa1fefacb13cdbd53298c9f1a635e97e5228556269299c63c3412d5d14a086ac7f631efbb13e1a2c91b564436bf92902d5edd022d1d77cc4d8b7357d181

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzP9pAsQzT.bat

Filesize
200B

MD5
0e9610bd31d793432a9fea17f1912b51

SHA1
0b1667914f7b228ddcdc438aaa58e06005d74037

SHA256
f197056d5230e035246a780ee1720a3cfedf0d19b696f675e6c184d3a5e3709d

SHA512
05d4366ec4fa669e4dca037c27ea1af5e0d080af2deec3f94193131707d899a58c7257b42951d4602e83c36cbd45952a83aa37b12158ea41fb287830b466fe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat

Filesize
152B

MD5
8b7391d80ba4bcea2bc09fd16dab7cd1

SHA1
e688627f326ec9b619ff72be49467e7af358b656

SHA256
4b1df729bbd115c6d59d2f64c1265a1bf82e379c6b7b420fada9a60b6bf88153

SHA512
6838a55e97826f849f4ae6708b9dba1158f9b652ff46a29af2c6abd71e86e51243297bbcbd4c7e2efb219416981e41c489d265ab6a5affc7617fea8e5486ba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat

Filesize
152B

MD5
cc269feddc7252a222bd9c41d4d5b29a

SHA1
9ea47b81d7eaa69819953377f1433d31426cd416

SHA256
51750dd93ba9338faa2c6f0a2de52f460e47f563cb26cd96b6abc0089ff6f54f

SHA512
b315369245719864b0d35633bb5d7d16f203281adc7cd2738995d770b41aa7f2291d7750f28dae3fdfc2bec3968ea3caf6651650c115ae6cfbf8c9ca21767093

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat

Filesize
200B

MD5
80f9bb211e486e10b18b92ddde0cdfe7

SHA1
ae0183b364b6d5b5570cf45eeb47e6128aaacab4

SHA256
da024c7db228a555a6189e4abff69441b504ce7cc5e7df3a36607270f746acfa

SHA512
c2a4e564c34c9d27e7b2694c712c5dd42ac2ff7a9daf222ef4ef25028a27d93504a8b6ef23201ee24df1abe78f7ef0d98d7f0a62dd75dadf6d3c6cd39621628c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat

Filesize
200B

MD5
fae21672773cfe165d12982f72f1b8cd

SHA1
cab3158a4ae1e28d28db94ed7dc9f5fc2249705a

SHA256
5419945af7441cf8ca93564d8145ed94c8fc99a23b9f8e16836f8c8cfb141d2c

SHA512
4dfa4cde186c53b19a09bcdc3a8c9439025fd81cf9c1b088d0317f8c7e552cbd86b41d4726e11f3da9e0b8250bdbc7088a5b397f6360680537f27725693d54dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fXNYKeC8BB.bat

Filesize
152B

MD5
6194b93eec49bcf79d52fc1c9d1e227f

SHA1
feea11bf6bc0c6d7ee3c933ff51fc000a5333686

SHA256
e01c3f124f4dda9089ec77340c191001775da4766066c8150f85a1e21f866b45

SHA512
3f6af4cd3095ff07c44b5c5d6d03c4751a75763aafaa2b5f649afffd04b6ce302a8844ca601dfa9158aa8d253e1c674095549794a1f4279748d9774f05ae1a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat

Filesize
152B

MD5
7693c8e0f120e12b3b1c2265bac94eea

SHA1
dd2cdade3f994f1d5f48115fb15a60409095d5ca

SHA256
d0b33ac56980916ea7ca7e902c090fc21a07de106c848158d08a4c06a3476449

SHA512
24a7b9d55020a2685db400fd9882ddadbc570b730f1b062011771ebd8ccf83c8e7957306b18653f536233a4e557f2bd8de6fc1f2ea5bbca1e61fea4b6e322ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat

Filesize
152B

MD5
1265bc77b29dcb74d1605c7219bb324d

SHA1
0e43dee5cdbde357f47c9d5d5d5d089c4a9955ee

SHA256
3e44164ffefeae6edb62dd455453be4fda18d6ccabc3e6bca6c3ed5424e6feb6

SHA512
a9a182967884fcfb5810d760d2937a4388a414595611a74dd354a7b6c2b146a4ff7c4dcfa037c87a886c4631fbfc087c099a88f4380b9658b64e7edaf7f1d262

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/752-129-0x0000000000E60000-0x00000000011E6000-memory.dmp

Filesize
3.5MB

Download
memory/1908-19-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1908-20-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-24-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1908-25-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-27-0x0000000002230000-0x0000000002242000-memory.dmp

Filesize
72KB

Download
memory/1908-29-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1908-31-0x0000000002270000-0x0000000002286000-memory.dmp

Filesize
88KB

Download
memory/1908-33-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1908-34-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-35-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-37-0x0000000002220000-0x000000000222E000-memory.dmp

Filesize
56KB

Download
memory/1908-39-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1908-41-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/1908-43-0x000000001AA00000-0x000000001AA5A000-memory.dmp

Filesize
360KB

Download
memory/1908-45-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/1908-47-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/1908-49-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/1908-51-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/1908-53-0x000000001AE30000-0x000000001AE7E000-memory.dmp

Filesize
312KB

Download
memory/1908-22-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/1908-69-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-0-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x0000000000160000-0x00000000004E6000-memory.dmp

Filesize
3.5MB

Download
memory/1908-17-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

Filesize
96KB

Download
memory/1908-2-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-15-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1908-10-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/1908-12-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download
memory/1908-3-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-13-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-4-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-8-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-7-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-6-0x00000000008C0000-0x00000000008E6000-memory.dmp

Filesize
152KB

Download
memory/2064-268-0x00000000011E0000-0x0000000001566000-memory.dmp

Filesize
3.5MB

Download
memory/2148-157-0x0000000001060000-0x00000000013E6000-memory.dmp

Filesize
3.5MB

Download
memory/2188-73-0x0000000000340000-0x00000000006C6000-memory.dmp

Filesize
3.5MB

Download
memory/2420-101-0x00000000009A0000-0x0000000000D26000-memory.dmp

Filesize
3.5MB

Download
memory/2700-185-0x0000000001220000-0x00000000015A6000-memory.dmp

Filesize
3.5MB

Download
memory/3028-240-0x0000000000060000-0x00000000003E6000-memory.dmp

Filesize
3.5MB

Download