dcrat | 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Size

3.5MB
MD5

6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1

0eba0dd22b3f5053798eba26e027ef7383602774
SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512

f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP

98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Drops file in Windows directory 5 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

description	ioc	Process
File created	C:\Windows\system\5940a34987c991	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File opened for modification	C:\Windows\LiveKernelReports\dllhost.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Windows\LiveKernelReports\5940a34987c991	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
File created	C:\Windows\system\dllhost.exe	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2640	PING.EXE
1932	PING.EXE
564	PING.EXE
2412	PING.EXE
2124	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2124	PING.EXE
2640	PING.EXE
1932	PING.EXE
564	PING.EXE
2412	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

pid	Process
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

description	pid	Process
Token: SeDebugPrivilege	2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2504	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	1952	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	1688	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2428	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	324	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2336	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	496	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
Token: SeDebugPrivilege	2852	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.execmd.exe

description	pid	Process	procid_target
PID 2964 wrote to memory of 2612	2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	28
PID 2964 wrote to memory of 2612	2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	28
PID 2964 wrote to memory of 2612	2964	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	28
PID 2612 wrote to memory of 2728	2612	cmd.exe	30
PID 2612 wrote to memory of 2728	2612	cmd.exe	30
PID 2612 wrote to memory of 2728	2612	cmd.exe	30
PID 2612 wrote to memory of 2640	2612	cmd.exe	31
PID 2612 wrote to memory of 2640	2612	cmd.exe	31
PID 2612 wrote to memory of 2640	2612	cmd.exe	31
PID 2612 wrote to memory of 2504	2612	cmd.exe	32
PID 2612 wrote to memory of 2504	2612	cmd.exe	32
PID 2612 wrote to memory of 2504	2612	cmd.exe	32
PID 2504 wrote to memory of 1972	2504	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	36
PID 2504 wrote to memory of 1972	2504	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	36
PID 2504 wrote to memory of 1972	2504	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	36
PID 1972 wrote to memory of 2424	1972	cmd.exe	38
PID 1972 wrote to memory of 2424	1972	cmd.exe	38
PID 1972 wrote to memory of 2424	1972	cmd.exe	38
PID 1972 wrote to memory of 1932	1972	cmd.exe	39
PID 1972 wrote to memory of 1932	1972	cmd.exe	39
PID 1972 wrote to memory of 1932	1972	cmd.exe	39
PID 1972 wrote to memory of 1952	1972	cmd.exe	40
PID 1972 wrote to memory of 1952	1972	cmd.exe	40
PID 1972 wrote to memory of 1952	1972	cmd.exe	40
PID 1952 wrote to memory of 1152	1952	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	41
PID 1952 wrote to memory of 1152	1952	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	41
PID 1952 wrote to memory of 1152	1952	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	41
PID 1152 wrote to memory of 880	1152	cmd.exe	43
PID 1152 wrote to memory of 880	1152	cmd.exe	43
PID 1152 wrote to memory of 880	1152	cmd.exe	43
PID 1152 wrote to memory of 564	1152	cmd.exe	44
PID 1152 wrote to memory of 564	1152	cmd.exe	44
PID 1152 wrote to memory of 564	1152	cmd.exe	44
PID 1152 wrote to memory of 1688	1152	cmd.exe	45
PID 1152 wrote to memory of 1688	1152	cmd.exe	45
PID 1152 wrote to memory of 1688	1152	cmd.exe	45
PID 1688 wrote to memory of 1080	1688	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	46
PID 1688 wrote to memory of 1080	1688	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	46
PID 1688 wrote to memory of 1080	1688	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	46
PID 1080 wrote to memory of 824	1080	cmd.exe	48
PID 1080 wrote to memory of 824	1080	cmd.exe	48
PID 1080 wrote to memory of 824	1080	cmd.exe	48
PID 1080 wrote to memory of 2412	1080	cmd.exe	49
PID 1080 wrote to memory of 2412	1080	cmd.exe	49
PID 1080 wrote to memory of 2412	1080	cmd.exe	49
PID 1080 wrote to memory of 2428	1080	cmd.exe	50
PID 1080 wrote to memory of 2428	1080	cmd.exe	50
PID 1080 wrote to memory of 2428	1080	cmd.exe	50
PID 2428 wrote to memory of 2512	2428	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	51
PID 2428 wrote to memory of 2512	2428	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	51
PID 2428 wrote to memory of 2512	2428	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	51
PID 2512 wrote to memory of 1968	2512	cmd.exe	53
PID 2512 wrote to memory of 1968	2512	cmd.exe	53
PID 2512 wrote to memory of 1968	2512	cmd.exe	53
PID 2512 wrote to memory of 1680	2512	cmd.exe	54
PID 2512 wrote to memory of 1680	2512	cmd.exe	54
PID 2512 wrote to memory of 1680	2512	cmd.exe	54
PID 2512 wrote to memory of 324	2512	cmd.exe	55
PID 2512 wrote to memory of 324	2512	cmd.exe	55
PID 2512 wrote to memory of 324	2512	cmd.exe	55
PID 324 wrote to memory of 1944	324	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	56
PID 324 wrote to memory of 1944	324	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	56
PID 324 wrote to memory of 1944	324	9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe	56
PID 1944 wrote to memory of 2800	1944	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UXovnHxixt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2728
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
    "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kE5LbAifMs.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2424
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqmi30yQ6b.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"
        14⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
        16⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat"
        18⤵
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat

Filesize
230B

MD5
e5d8f647d623d641e6796899b0285756

SHA1
58bb40b0c07bdcc5c7a9afbac0e9f0613d069b1f

SHA256
2326b4db373cec6f8d635c2999dd51029a00976a72153eea058722243b4f6198

SHA512
55ac841becd33810e7947e1693b8ecd19c01c9964bcfc1e72bba1aa046d8c12686d13500b953a98a5712fc6e1fe34f78bfe8a4e18a834bd1f6f93371de91bf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat

Filesize
278B

MD5
f610728524e90c0c27d1692a5969a731

SHA1
87de4635b1b1cd6378772e28ace84762fe6a5c25

SHA256
a59c79dddbf35afd2b0c701b7310d4372ebc28a2ded197481aac874597455e98

SHA512
645153d1ebbdcab7d9cd9009b19a9a6364b6a968a3eea3898c10490f0b3113ec6eb45bacc01a65b245e030d25cfcfb6dc8801e28eb705cda83b615685cd3cd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat

Filesize
278B

MD5
be6196e4965ace9c677f740099ebcb83

SHA1
e0d89668bf7d79201d0fdaf5bfe2e97ec63d022b

SHA256
b1a616aba8614a0cdd257498a4175b9b8e99be867dcbf5484fabf74c6c0139ce

SHA512
42b523e06327eddd8955776d163ee9b439980c9668d40d146ebfd16d58d18dd6daf7ffbef054a402711c1d2c1ab1dc9f5a1d105d145f41236252e639c496549b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXovnHxixt.bat

Filesize
230B

MD5
e686a2706e183645f92ae0ea08207c02

SHA1
6f4762a0bd6687d18ea172e22c456b6f74762e65

SHA256
9f1db0783260540cb60e5ff8bf7bd27172e4da9411e72119199229aab8c3d642

SHA512
0a34358a91ca08c1c7668cc1728d83d4e44f3c9d3f56cb8bf7cce334bb9cdc140a3d6d9d5e8b6118b658f4c6db82db4eeebe94f944f3e67bc939cbdc2c388753

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat

Filesize
230B

MD5
934daefeeb926725df4e3561f9a07198

SHA1
2bc811912a8b7b6de302a4c86f9acac18852f7ed

SHA256
4b6ba06499d7f5947cb048ec17bb4ab459fce705001abcb47dca143b9d48de42

SHA512
1089955283721f5fc9abbbf4b5f3094c41274373c54f174c28aa69c7bc11c9065e69a6bb3581dec8c23ed924414c0b244f0bfb858628c9525fbe67d99e42c1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqmi30yQ6b.bat

Filesize
230B

MD5
c8beb8eb16d9dfb853259a6a19bd6804

SHA1
96689025e44cce468663b25f894165f76e3513eb

SHA256
5c351cb3fb26d6d08f2226712aa231919cd14b1a717ba789723cfc2c8668e71e

SHA512
315ce1624323ed5794bd96c42d0888b78a4fe28d7a4e16a00ca4645c17acdced36e3bb848be03043aa94827f95befa19d5fcb0e51ff0ab618386d30980f3aa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\kE5LbAifMs.bat

Filesize
230B

MD5
02f7731e9934c2cdb991356487d7fff1

SHA1
05453942f1c110ca51ba848a586e5f0f32582d96

SHA256
2f9e31e1e241872be10e1408a740efae6594d2ac7c82b8ff0741a20177121fcb

SHA512
f25e9761c8f833c3b656864fa8e20469f9a558c36d9f785dfba191f9e3d865ef089d7a3b90fffd1b75011845968202acd53ace212ae74144c95abb5b569e3508

Download Submit
C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

Filesize
278B

MD5
8a97785a93e5eeb74c16444eca4620d7

SHA1
5c67449dcc8e8773c94f28c85b32e5b331c48509

SHA256
3fa5bd1dd2c5986be8e6eabe25da6f185538654de92fd742268d23ee4f1d95d8

SHA512
5e895cb22553667e80e81cde231fc32a1247c929ec6451324904d4d55f8acd5a97b00d29e6718a03f64b621f7295c5808541dbbe754d828a781a923493ba7e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat

Filesize
278B

MD5
4dac3b53725754fff338cf006a8d6fbf

SHA1
d915dec24102922ae0d453e47cf12a5ac21fa341

SHA256
cc86b5b91c09a16d9897c34c1ac4e55923801d9315d5ed997a5b60d9a729ec06

SHA512
cd6bc60d69ba4be98cedb3c7a997faf17ff7b41777aa9d377a2c22697fef6d1d18cc48d60d4360404279165874c29e858312d5df942c4eab055a9713188d55ed

Download Submit
C:\Windows\system\dllhost.exe

Filesize
3.5MB

MD5
6c5f6433bae4cbf3dc2d1fd40b716b08

SHA1
0eba0dd22b3f5053798eba26e027ef7383602774

SHA256
9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

SHA512
f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

Download Submit
memory/324-178-0x0000000001250000-0x00000000015D6000-memory.dmp

Filesize
3.5MB

Download
memory/1688-124-0x0000000000010000-0x0000000000396000-memory.dmp

Filesize
3.5MB

Download
memory/2428-151-0x0000000000A50000-0x0000000000DD6000-memory.dmp

Filesize
3.5MB

Download
memory/2504-71-0x00000000010E0000-0x0000000001466000-memory.dmp

Filesize
3.5MB

Download
memory/2964-18-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2964-52-0x000000001BC40000-0x000000001BC8E000-memory.dmp

Filesize
312KB

Download
memory/2964-25-0x000000001B210000-0x000000001B222000-memory.dmp

Filesize
72KB

Download
memory/2964-27-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2964-29-0x000000001B230000-0x000000001B246000-memory.dmp

Filesize
88KB

Download
memory/2964-30-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-32-0x000000001B250000-0x000000001B262000-memory.dmp

Filesize
72KB

Download
memory/2964-34-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/2964-36-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2964-38-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2964-39-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-41-0x000000001B860000-0x000000001B8BA000-memory.dmp

Filesize
360KB

Download
memory/2964-43-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

Filesize
56KB

Download
memory/2964-45-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/2964-46-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-48-0x000000001B270000-0x000000001B27E000-memory.dmp

Filesize
56KB

Download
memory/2964-50-0x000000001B800000-0x000000001B818000-memory.dmp

Filesize
96KB

Download
memory/2964-23-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-22-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2964-67-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-20-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2964-69-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2964-16-0x000000001B1D0000-0x000000001B1E8000-memory.dmp

Filesize
96KB

Download
memory/2964-14-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2964-12-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-11-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2964-9-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/2964-7-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-6-0x00000000023F0000-0x0000000002416000-memory.dmp

Filesize
152KB

Download
memory/2964-4-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-1-0x0000000000930000-0x0000000000CB6000-memory.dmp

Filesize
3.5MB

Download