dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2948-1-0x0000000000020000-0x00000000000A0000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023c89-11.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 18 IoCs

pid	Process
4900	lsass.exe
1388	lsass.exe
4256	lsass.exe
4276	lsass.exe
4972	lsass.exe
3476	lsass.exe
2204	lsass.exe
3832	lsass.exe
376	lsass.exe
4268	lsass.exe
2092	lsass.exe
2824	lsass.exe
2828	lsass.exe
4716	lsass.exe
2544	lsass.exe
4348	lsass.exe
2196	lsass.exe
4776	lsass.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\lsass.exe	2.exe
File created	C:\Program Files (x86)\Windows Media Player\6203df4a6bafc7	2.exe
File created	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	2.exe
File created	C:\Program Files\Windows Multimedia Platform\5b884080fd4f94	2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\e1ef82546f0b02	2.exe
File created	C:\Windows\CbsTemp\SppExtComObj.exe	2.exe
File opened for modification	C:\Windows\CbsTemp\SppExtComObj.exe	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2000	PING.EXE
2120	PING.EXE
3212	PING.EXE
3136	PING.EXE
1760	PING.EXE
5076	PING.EXE
4880	PING.EXE
2428	PING.EXE
4756	PING.EXE
4472	PING.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	2.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	lsass.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
1760	PING.EXE
2120	PING.EXE
3212	PING.EXE
4756	PING.EXE
3136	PING.EXE
4472	PING.EXE
2000	PING.EXE
5076	PING.EXE
4880	PING.EXE
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe
2948	2.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	2.exe
Token: SeDebugPrivilege	4900	lsass.exe
Token: SeDebugPrivilege	1388	lsass.exe
Token: SeDebugPrivilege	4256	lsass.exe
Token: SeDebugPrivilege	4276	lsass.exe
Token: SeDebugPrivilege	4972	lsass.exe
Token: SeDebugPrivilege	3476	lsass.exe
Token: SeDebugPrivilege	2204	lsass.exe
Token: SeDebugPrivilege	3832	lsass.exe
Token: SeDebugPrivilege	376	lsass.exe
Token: SeDebugPrivilege	4268	lsass.exe
Token: SeDebugPrivilege	2092	lsass.exe
Token: SeDebugPrivilege	2824	lsass.exe
Token: SeDebugPrivilege	2828	lsass.exe
Token: SeDebugPrivilege	4716	lsass.exe
Token: SeDebugPrivilege	2544	lsass.exe
Token: SeDebugPrivilege	4348	lsass.exe
Token: SeDebugPrivilege	2196	lsass.exe
Token: SeDebugPrivilege	4776	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1788	2948	2.exe	83
PID 2948 wrote to memory of 1788	2948	2.exe	83
PID 1788 wrote to memory of 3232	1788	cmd.exe	85
PID 1788 wrote to memory of 3232	1788	cmd.exe	85
PID 1788 wrote to memory of 4996	1788	cmd.exe	86
PID 1788 wrote to memory of 4996	1788	cmd.exe	86
PID 1788 wrote to memory of 4900	1788	cmd.exe	87
PID 1788 wrote to memory of 4900	1788	cmd.exe	87
PID 4900 wrote to memory of 4784	4900	lsass.exe	88
PID 4900 wrote to memory of 4784	4900	lsass.exe	88
PID 4784 wrote to memory of 1028	4784	cmd.exe	90
PID 4784 wrote to memory of 1028	4784	cmd.exe	90
PID 4784 wrote to memory of 2000	4784	cmd.exe	91
PID 4784 wrote to memory of 2000	4784	cmd.exe	91
PID 4784 wrote to memory of 1388	4784	cmd.exe	101
PID 4784 wrote to memory of 1388	4784	cmd.exe	101
PID 1388 wrote to memory of 4468	1388	lsass.exe	105
PID 1388 wrote to memory of 4468	1388	lsass.exe	105
PID 4468 wrote to memory of 4880	4468	cmd.exe	108
PID 4468 wrote to memory of 4880	4468	cmd.exe	108
PID 4468 wrote to memory of 2744	4468	cmd.exe	109
PID 4468 wrote to memory of 2744	4468	cmd.exe	109
PID 4468 wrote to memory of 4256	4468	cmd.exe	110
PID 4468 wrote to memory of 4256	4468	cmd.exe	110
PID 4256 wrote to memory of 5064	4256	lsass.exe	111
PID 4256 wrote to memory of 5064	4256	lsass.exe	111
PID 5064 wrote to memory of 1608	5064	cmd.exe	113
PID 5064 wrote to memory of 1608	5064	cmd.exe	113
PID 5064 wrote to memory of 2120	5064	cmd.exe	114
PID 5064 wrote to memory of 2120	5064	cmd.exe	114
PID 5064 wrote to memory of 4276	5064	cmd.exe	118
PID 5064 wrote to memory of 4276	5064	cmd.exe	118
PID 4276 wrote to memory of 2696	4276	lsass.exe	119
PID 4276 wrote to memory of 2696	4276	lsass.exe	119
PID 2696 wrote to memory of 3328	2696	cmd.exe	121
PID 2696 wrote to memory of 3328	2696	cmd.exe	121
PID 2696 wrote to memory of 4760	2696	cmd.exe	122
PID 2696 wrote to memory of 4760	2696	cmd.exe	122
PID 2696 wrote to memory of 4972	2696	cmd.exe	125
PID 2696 wrote to memory of 4972	2696	cmd.exe	125
PID 4972 wrote to memory of 744	4972	lsass.exe	126
PID 4972 wrote to memory of 744	4972	lsass.exe	126
PID 744 wrote to memory of 1980	744	cmd.exe	128
PID 744 wrote to memory of 1980	744	cmd.exe	128
PID 744 wrote to memory of 5076	744	cmd.exe	129
PID 744 wrote to memory of 5076	744	cmd.exe	129
PID 744 wrote to memory of 3476	744	cmd.exe	131
PID 744 wrote to memory of 3476	744	cmd.exe	131
PID 3476 wrote to memory of 1196	3476	lsass.exe	132
PID 3476 wrote to memory of 1196	3476	lsass.exe	132
PID 1196 wrote to memory of 4596	1196	cmd.exe	134
PID 1196 wrote to memory of 4596	1196	cmd.exe	134
PID 1196 wrote to memory of 3212	1196	cmd.exe	135
PID 1196 wrote to memory of 3212	1196	cmd.exe	135
PID 1196 wrote to memory of 2204	1196	cmd.exe	137
PID 1196 wrote to memory of 2204	1196	cmd.exe	137
PID 2204 wrote to memory of 1644	2204	lsass.exe	138
PID 2204 wrote to memory of 1644	2204	lsass.exe	138
PID 1644 wrote to memory of 3256	1644	cmd.exe	140
PID 1644 wrote to memory of 3256	1644	cmd.exe	140
PID 1644 wrote to memory of 4880	1644	cmd.exe	141
PID 1644 wrote to memory of 4880	1644	cmd.exe	141
PID 1644 wrote to memory of 3832	1644	cmd.exe	143
PID 1644 wrote to memory of 3832	1644	cmd.exe	143

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\btHUxPoON9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3232
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4996
- - C:\Program Files (x86)\Windows Media Player\lsass.exe
    "C:\Program Files (x86)\Windows Media Player\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1028
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
    - - C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2744
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7iP34BoyNV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4760
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5076
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3212
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"
        18⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
        20⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3940
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"
        22⤵
        
        PID:4980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3920
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat"
        24⤵
        
        PID:4996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4756
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat"
        26⤵
        
        PID:856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3136
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"
        28⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3464
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7iP34BoyNV.bat"
        30⤵
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4472
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"
        32⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1164
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        34⤵
        
        PID:4264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1640
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"
        36⤵
        
        PID:4044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
        
        C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
        38⤵
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
0f31e501ab247a1b471e8e69930fda3d

SHA1
cc4a26314aad742126f6df0e92b777a786eade0b

SHA256
f6562e9acf0bb58a78a8ad59d5bc88bdf7a2508b84745605dfc28a19f60e4742

SHA512
65c14701fa94622aca52146b0f2d501ac2acdd4acd2a4c666903a800f26310832404a66478f861dd9b10a0a74d99e2b683fb73aef5d153b7ac26aabb96cfea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat

Filesize
181B

MD5
8faf188d46e629997e574158ac0a2d97

SHA1
5e55f4e51569cab5b8dbdc520ed933f976abb2b8

SHA256
63d5a0c08ebfd2d98ff7bfccbf2c140e9cc39b3e67fc118ea6ffff1128803a3c

SHA512
56e81a545825282e24d20e39643bdbc3f4aa83eff0f0b8976ebab2f9d1b17852c2890b8068b252288fe308d02b6eca20b2d0950ffebc3a74218ce1f48d5b045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7iP34BoyNV.bat

Filesize
181B

MD5
cce6cd5502b857f1de300122110dea96

SHA1
4eb09cb1fe06ddb065c51d1b72fa6e2f564b2115

SHA256
e4a945b1e76ccd2285e9b12dbf05a3a8db732f3ce0ea63661f9fee2993c71035

SHA512
db52d434b30bbb51b96756b567758dd0429b0cc4406ebfd62ccd1cc254ca06eb1fefb194057de16eb060ee9e87b21eee0eda37211c36e633ffacf0d17f767040

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat

Filesize
181B

MD5
abd011247c91a0127ea82b8b52559d9f

SHA1
6964124e0d7c4a3368c5b430867aab7bc38f9564

SHA256
fa2d6d174fea0e4e3d9e1f08daaf26bb8df6458ac9da2e57151c109755174cf6

SHA512
91882c065796283422f7981061e287853a981ff2462ba026b4381b05c1dff5c43b6a94856f8de94530b9d2469ef272f1d147ed5730dbf18d6ddc846f3f8e742b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat

Filesize
181B

MD5
cd2fd8a3c9b27406c072d77023a99032

SHA1
b6e6aa99f76da9e13739ab126357941ba3bb1cbe

SHA256
104f887cf5ef562479fcacaaec82b660e00ced8be90991c2598b50edf539c998

SHA512
5ca7a006d3d2b0e1a503e2f21390955fa5cf233b92ea122f9cb14b53d90caa46db099cff224d12e53279d7208f9bdde5005169ec99411c3d7fd42ed0306dbbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat

Filesize
229B

MD5
c1b9b88aab56ebdfa59b2bec46b6d6be

SHA1
070c0e3128e732c05d6cb6040fd75eba11c22a84

SHA256
7a662c68b65999660f2c0465bf4a11e8828c7464354098110be3767b5710d834

SHA512
df9a0eb4176897e89cc91b7e64145cd8ef37993cda5b83598d4fb84b292dc1373ae0fd05aacdb4d45d2441cbaa70f7f1a73cf1e4eb46d43800edd79de2e38c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat

Filesize
229B

MD5
66841700d2bc0d488b0acea9c4e3acc1

SHA1
5b376b73d0ab23b7b6147801ea87407899fec9e2

SHA256
32a4a496ff217c607fe88f52cc105233f871be2dcfa052468a76564d712da5fb

SHA512
10f10b5a6a541a9e76b82993bc2942e2ca156c5650629637999439c2a62759b90d1081ca6003647e2ce65ce18ec0de55985e4cd392951c7856869ee3272c73da

Download Submit
C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat

Filesize
181B

MD5
308f975c5656d9cbe02431a1bebb591c

SHA1
d9a10483132242920905a9185777eaec5cc224c5

SHA256
33586b768fb579cc25d4a35e11f1fa465232cb1ecd8d8e3b124ad1bec25d049b

SHA512
00d2e431eca54795bedb4fd61793ee7aa5acf781ca488175a95179d2e8eddb45dede4a0d857f848ad7e1569f48eb5af00811c85d6535ba645490ecec41cf88e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\btHUxPoON9.bat

Filesize
229B

MD5
bef408fd80b69d02224045362b31b519

SHA1
326c64fcc1e9bd664e636bbcff3610e8c770b29f

SHA256
56557774785ddd079cca3dce933b78fb691864a28d81d1784557be6d6f54b1bc

SHA512
2be2b369439981eb88e36109bca6c1afb3bb2de04d6d296db868cc4832e5f44ca45ca9ed9d630cb7b7a7eb098b38fb9596f638d056df43032ac8d9dbf07f133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat

Filesize
229B

MD5
515a0fbc8e0b873c7bcec704766592fc

SHA1
8366944c0a023112ce48b529f172bcbd7ed4d2cb

SHA256
2d971f63ec643f85750d626bfd243e8b75f6428f1bc682f5fb630eeea672356d

SHA512
458b589a27bad6304a347f7d6b3842dfa41597f05b175cbe3993f41b5fc8cc55daba8299f54e446ad648b38001b3dfeb43b1d020a1387b5341a50916c27f7001

Download Submit
C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat

Filesize
181B

MD5
6979930c9aba82db7430d2320211ed1d

SHA1
6d4209a314f6d9fbd5595c711e64c1b00e853a7e

SHA256
f28c7f8ec7ab1df98a6531ec7ec380b0eb168ef1834a72c374f88c99348dd04d

SHA512
d24d819edaef69c3e6f3c7400e7236d10b37e266b7fcb0fd6b8c26f97ace894ce31788a27110d2f60fab27bbe650d767510aaf1dc50339b18b72fc80d2b0bb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat

Filesize
181B

MD5
23fbb6277a6934092d7836efe243d2b4

SHA1
4d2d57c9fa1c0ef9e80afb1d462b78f6d73cbb0f

SHA256
6b889d920a8a315ab18aa1989b4af5717eed2dc8a4cdc4b006746e02f99f6dbe

SHA512
e6e61b959210a9a7c8d37f3d2baf50c2eefec1ba9a52fbf348b8efbabfd5c0269556cae043a63f5e62a425999e67e609c2597732ff379fe237adb0db2295897f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat

Filesize
181B

MD5
02a107330d1c3de142c6917905ca41bf

SHA1
b01d8e0c876a7f0585af339fe91137823f313a84

SHA256
8886c14b63fe4b05d10da533f09af958873941e5f2429b7a02cb5b40b0e5c70b

SHA512
f8755ec69c6292a0fa001b19e878f0d108ac2c51ac706719dc4ff9f0e27cac4a1e8c3000797d191e812a1466835c9209707553b77cf63fb87c656428e0e9f7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat

Filesize
229B

MD5
b278ed7b5df21e1dc243dc0c1ba62702

SHA1
01005fb1883f49b1ddd3b5e5c8ba17a6403202b2

SHA256
40611679248fe194de1c699cf63f3514b0664bda522e608aae9484da42361598

SHA512
33fb85bf84b174a8205b215876cebca3ddeb7e5d2cd4a9446a7af21f81ce9f64786be6ad4945cb153b6479580caeb14cf5519572ad8ede9ca14b045aaddc1c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

Filesize
229B

MD5
d60008f5079adc390b7ac2a8d046bd0e

SHA1
9fe2137b7d62a0543e00cf6fae48df67f6ee0e1d

SHA256
2d03a8eca5861d54b7bb8ce698ef2503b09ebfdabe23c6ff5b1cbd688c8c3031

SHA512
46239f9b920e78304ab6aa8b0330f4882c8f56268d3871a7e3a416bc101d43476eac3569575cd2c865606867939694fd41205abf4d69bd5fc9e469dee38b46e6

Download Submit
memory/2948-1-0x0000000000020000-0x00000000000A0000-memory.dmp

Filesize
512KB

Download
memory/2948-19-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

Filesize
10.8MB

Download
memory/2948-7-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

Filesize
10.8MB

Download
memory/2948-0-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

Filesize
8KB

Download
memory/4900-29-0x00007FFEF9710000-0x00007FFEFA1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4900-23-0x00007FFEF9710000-0x00007FFEFA1D1000-memory.dmp

Filesize
10.8MB

Download