dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1872-1-0x0000000001310000-0x0000000001390000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0006000000016d36-11.dat	family_dcrat_v2
behavioral1/memory/2780-21-0x0000000000FD0000-0x0000000001050000-memory.dmp	family_dcrat_v2
behavioral1/memory/2632-28-0x0000000001090000-0x0000000001110000-memory.dmp	family_dcrat_v2
behavioral1/memory/2380-41-0x00000000012C0000-0x0000000001340000-memory.dmp	family_dcrat_v2

Executes dropped EXE 13 IoCs

pid	Process
2780	dwm.exe
2632	dwm.exe
2820	dwm.exe
2380	dwm.exe
1752	dwm.exe
1560	dwm.exe
1784	dwm.exe
1040	dwm.exe
2092	dwm.exe
2148	dwm.exe
2648	dwm.exe
600	dwm.exe
1148	dwm.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Program Files\Windows Journal\en-US\dwm.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Program Files\Windows Journal\en-US\6cb0b6c459d5d3	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\7184e5930ed954	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Program Files (x86)\Uninstall Information\winlogon.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\winlogon.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
276	PING.EXE
2044	PING.EXE
556	PING.EXE
576	PING.EXE
620	PING.EXE
2944	PING.EXE
2932	PING.EXE
1276	PING.EXE
2240	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
576	PING.EXE
276	PING.EXE
2240	PING.EXE
620	PING.EXE
2944	PING.EXE
2932	PING.EXE
1276	PING.EXE
2044	PING.EXE
556	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Token: SeDebugPrivilege	2780	dwm.exe
Token: SeDebugPrivilege	2632	dwm.exe
Token: SeDebugPrivilege	2820	dwm.exe
Token: SeDebugPrivilege	2380	dwm.exe
Token: SeDebugPrivilege	1752	dwm.exe
Token: SeDebugPrivilege	1560	dwm.exe
Token: SeDebugPrivilege	1784	dwm.exe
Token: SeDebugPrivilege	1040	dwm.exe
Token: SeDebugPrivilege	2092	dwm.exe
Token: SeDebugPrivilege	2148	dwm.exe
Token: SeDebugPrivilege	2648	dwm.exe
Token: SeDebugPrivilege	600	dwm.exe
Token: SeDebugPrivilege	1148	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2320	1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	30
PID 1872 wrote to memory of 2320	1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	30
PID 1872 wrote to memory of 2320	1872	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	30
PID 2320 wrote to memory of 2812	2320	cmd.exe	32
PID 2320 wrote to memory of 2812	2320	cmd.exe	32
PID 2320 wrote to memory of 2812	2320	cmd.exe	32
PID 2320 wrote to memory of 2240	2320	cmd.exe	33
PID 2320 wrote to memory of 2240	2320	cmd.exe	33
PID 2320 wrote to memory of 2240	2320	cmd.exe	33
PID 2320 wrote to memory of 2780	2320	cmd.exe	35
PID 2320 wrote to memory of 2780	2320	cmd.exe	35
PID 2320 wrote to memory of 2780	2320	cmd.exe	35
PID 2780 wrote to memory of 2852	2780	dwm.exe	36
PID 2780 wrote to memory of 2852	2780	dwm.exe	36
PID 2780 wrote to memory of 2852	2780	dwm.exe	36
PID 2852 wrote to memory of 2952	2852	cmd.exe	38
PID 2852 wrote to memory of 2952	2852	cmd.exe	38
PID 2852 wrote to memory of 2952	2852	cmd.exe	38
PID 2852 wrote to memory of 2680	2852	cmd.exe	39
PID 2852 wrote to memory of 2680	2852	cmd.exe	39
PID 2852 wrote to memory of 2680	2852	cmd.exe	39
PID 2852 wrote to memory of 2632	2852	cmd.exe	40
PID 2852 wrote to memory of 2632	2852	cmd.exe	40
PID 2852 wrote to memory of 2632	2852	cmd.exe	40
PID 2632 wrote to memory of 2348	2632	dwm.exe	41
PID 2632 wrote to memory of 2348	2632	dwm.exe	41
PID 2632 wrote to memory of 2348	2632	dwm.exe	41
PID 2348 wrote to memory of 1988	2348	cmd.exe	43
PID 2348 wrote to memory of 1988	2348	cmd.exe	43
PID 2348 wrote to memory of 1988	2348	cmd.exe	43
PID 2348 wrote to memory of 556	2348	cmd.exe	44
PID 2348 wrote to memory of 556	2348	cmd.exe	44
PID 2348 wrote to memory of 556	2348	cmd.exe	44
PID 2348 wrote to memory of 2820	2348	cmd.exe	45
PID 2348 wrote to memory of 2820	2348	cmd.exe	45
PID 2348 wrote to memory of 2820	2348	cmd.exe	45
PID 2820 wrote to memory of 2864	2820	dwm.exe	46
PID 2820 wrote to memory of 2864	2820	dwm.exe	46
PID 2820 wrote to memory of 2864	2820	dwm.exe	46
PID 2864 wrote to memory of 1184	2864	cmd.exe	48
PID 2864 wrote to memory of 1184	2864	cmd.exe	48
PID 2864 wrote to memory of 1184	2864	cmd.exe	48
PID 2864 wrote to memory of 576	2864	cmd.exe	49
PID 2864 wrote to memory of 576	2864	cmd.exe	49
PID 2864 wrote to memory of 576	2864	cmd.exe	49
PID 2864 wrote to memory of 2380	2864	cmd.exe	50
PID 2864 wrote to memory of 2380	2864	cmd.exe	50
PID 2864 wrote to memory of 2380	2864	cmd.exe	50
PID 2380 wrote to memory of 3012	2380	dwm.exe	51
PID 2380 wrote to memory of 3012	2380	dwm.exe	51
PID 2380 wrote to memory of 3012	2380	dwm.exe	51
PID 3012 wrote to memory of 3056	3012	cmd.exe	53
PID 3012 wrote to memory of 3056	3012	cmd.exe	53
PID 3012 wrote to memory of 3056	3012	cmd.exe	53
PID 3012 wrote to memory of 2388	3012	cmd.exe	54
PID 3012 wrote to memory of 2388	3012	cmd.exe	54
PID 3012 wrote to memory of 2388	3012	cmd.exe	54
PID 3012 wrote to memory of 1752	3012	cmd.exe	55
PID 3012 wrote to memory of 1752	3012	cmd.exe	55
PID 3012 wrote to memory of 1752	3012	cmd.exe	55
PID 1752 wrote to memory of 3036	1752	dwm.exe	56
PID 1752 wrote to memory of 3036	1752	dwm.exe	56
PID 1752 wrote to memory of 3036	1752	dwm.exe	56
PID 3036 wrote to memory of 2204	3036	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
"C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZCozdLPK9o.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2812
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2240
- - C:\Program Files\Windows Journal\en-US\dwm.exe
    "C:\Program Files\Windows Journal\en-US\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2952
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2680
    - - C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xSqhLDmV5E.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:576
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2388
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O4lRoaYFUn.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2616
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MP0d2SAwec.bat"
        14⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1376
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat"
        16⤵
        
        PID:552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat"
        18⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1704
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"
        20⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        22⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\um5tZ6OCE3.bat"
        24⤵
        
        PID:592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1276
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat"
        26⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Program Files\Windows Journal\en-US\dwm.exe
        
        "C:\Program Files\Windows Journal\en-US\dwm.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\75OpyD0wFt.bat"
        28⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat

Filesize
174B

MD5
e7b45497bfa8cbe2c990aa38e536a8e9

SHA1
01f66a02a1f83401f074b94500e0f91d5038cdc7

SHA256
731fb7325cf8b12079c7cd5479d00988e226ed14420222fe6436e879137659bc

SHA512
aeb624ea4c0a84b871fd0e521258661f8f1f558c7c1b9541e1aa585a1da3e8e00c22016ea3022133dd2f738b46091ff1781d8dee186cd7a2ed55b2903e011adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\75OpyD0wFt.bat

Filesize
174B

MD5
505445c0c995a0338b09684bf937015e

SHA1
aef53985a04d1e8604c7ebdc21f8fa17f6474619

SHA256
d78eb21ba40c317a055c39be27ef55319649622e0cbcff308eea2e0c82e07a49

SHA512
7dad7b461442e6b9829ba3375eaa43aaab944f162e60719d94502f60d1f4d13e010318737eddccdf0c73bc4c1469324ff820bc07380734ee681766bc45600400

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat

Filesize
174B

MD5
373a7350af944315e7ca051463179b88

SHA1
ef051084c6b20defd55b846d27b88d8a7c04a6af

SHA256
7c43f4609bbb2c0651c8ee19853730449e16aada8a78134a9676791b11cb1548

SHA512
5e40a734f4e407eb07572b460ef2c84970f4a45f353024da2c6f8ecd23c505cb638ce8197a2d89abbf72087dd4548b5f54194c738dc734c3c25d23e4c8a5c66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MP0d2SAwec.bat

Filesize
222B

MD5
f170920be727671459f38f61fb95de4b

SHA1
bcb6d2be7c644de9282d5a64b0944b01876a4559

SHA256
66052bb3e035efb640d39caeda4bbb5475552ef0dd55c8c26b509bd15a033a7e

SHA512
9b41ae5c6c268b2c9cc3bb11401e3cf161790da91c956466663724710e5cc785c550747c12b708bcf38da9b1f1e66bf30d2f11f97bafa8b01ca655d1c4ba20d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\O4lRoaYFUn.bat

Filesize
222B

MD5
83e31d867f4d5eb6645c8e61a3bba32b

SHA1
e8d0ebb08e699dfcc0ce656bb73f01794b51f1c4

SHA256
27b8d8d9a0ed254b1e7c2772209fdf06ca24cefc85ad920fbe83efc4cdb133d5

SHA512
94ddfa62f42d0183f7630a6418849e8ae829edae2d29283d914fd3622c72f7f8989db61c6a91905347c8146ef7911d05228be1f18970837a0c1231e0f574b3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat

Filesize
222B

MD5
830a43e8545097e14fd83485f50d3cde

SHA1
5859189c3933edb18118a780f3822364bf9b413a

SHA256
6fac3c07148063251995ea47eefe274cbfb2a23c8d5ebc293ea0265e3acc19a5

SHA512
c8779d158a2dc4c796f98d45db725cda591a3ff46c256f2cba37b23ba3f7b3cb620d3bdc7ad5fd4e7a0aecfdb0435ece401fbd4a52e67ae384d727c542fe07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCozdLPK9o.bat

Filesize
174B

MD5
8dd146def1325273ef68dcdb4d4a1e74

SHA1
308cb400b85b78406fd3d3a327f6bf1c0f343693

SHA256
f1ac4c08ef4567e7a9305cf31e1f272cbc40acf32e7a64cb313a2811427140c8

SHA512
b236da3da68471e40d0e65d84ad6dd6bf6b5b3398735c8c954a11a47392e573fe97b3d4753d0322d4e24bb78e1aed627d23815607381a54d6b3e6bb0c067a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat

Filesize
174B

MD5
5b25453db26c2f2a9b462e4f1ae6bb5b

SHA1
e0a4e634f462cfe43477851f51e82a40e591f5e3

SHA256
f45dcf4e8f117472f81ad2910580c48281957c37ddaaa87b3d2e267fd6277ba3

SHA512
3c81c8a95025daec9db9093bb5b347141204d66ea46146f4a0aafc0aa2a17ad1c2215718a34c903bbf178078241fae119d934192ed8d22d47c206ebbadd70968

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpHYiEZ4vY.bat

Filesize
174B

MD5
158fd428ec5df342e6a720a7447f1609

SHA1
5e6242c51ddf899abfd6cb07b82dbd816a793f36

SHA256
08dc02031fa6f95bab52968430fd49fa15b1da4773ec18c5477f3baa00b50c0a

SHA512
9c4ec35115ac63c517a454aec79e57880ec368122aab2aacb63bbd1bb2d105baa8948e28c6702c951c406950cb99110fa6165340ca31b47bc90cef99d5db2f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat

Filesize
222B

MD5
fbec610a39dbec7f271fc5f846cc35a5

SHA1
2a0122e58298e873378bd00417347e2a6db3f999

SHA256
87ed1960e80f9102b1272cc8c582bb4e0b78ca9f73da5e43a2f233aaf3f2adc2

SHA512
4c8805ed76bda87804a8eca521b584c5873ffdf9606682cef3396028a9af9f3ca1b3869d60d922b5e1f1f6ae8ae5d9e5891ee5d40fe8af3a7534c57f0810182b

Download Submit
C:\Users\Admin\AppData\Local\Temp\um5tZ6OCE3.bat

Filesize
174B

MD5
f5efe2087889123f964b7209ae658da4

SHA1
1fd560dd8b8f7ff1559f5508a7d30a5ea75bd278

SHA256
09768c815a24e8b602f38925d946a561691824fd0906ebc81531938def3dbd04

SHA512
b146b8280277eee89943f9c2bb454ba74f95f5bcf32e55da28523ec5df2db16653abfc4ea66fd77cea8d923c4856a9d56fae13cd931936b2d47664206b5a5485

Download Submit
C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat

Filesize
222B

MD5
9de7deb5f331844d5392e554e244f546

SHA1
ef9600e1eeab3982551fa9b5279c6fa4663d2a12

SHA256
662971ad4e455e8042793596fe954f51e0f9eb89253b4cdb8f4587e887576a1e

SHA512
b9a530888ccfc276fc2163bcbe623f75ef5c984a1e0b3b71ed79d5c8430764d194470c589e7662636ba3b260c8a7ccfc21bbc3cbeb3b7b5ba46e4b2e75c54f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat

Filesize
174B

MD5
2226848b49a04a1173ac8cbc39eadecb

SHA1
660f73701ca1a5e03b8a01df86f87fb9b950a84d

SHA256
0fb389dfda05e8eb38ccba0660f79e80df129f5a3ddfe02df19f95d3f37bfb50

SHA512
6f51e8092f5365c7685e5c0c3a82eab1450324881330efdb1b894df2dbcff621cedf3392503fa839c7bc99ea7523f8e13611602417cd5006d4f57bf812ba9b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSqhLDmV5E.bat

Filesize
174B

MD5
8dd65820f6952303808d452f3b9cb7f9

SHA1
dc53f095b0b14b7fab54b9ac7c203bedb79657c6

SHA256
f1ed3e9b3eb250a89a4079942df30a1215f961690326c57f975e92c80d0d593e

SHA512
5e7b308e181f9d83936bac48b1a9fec64adeab44dd5454a9e7ce893e7fd392e54a959631d708d166ab89e52425316c5c4b3a012763425f19aad8df7ceaf6843c

Download Submit
memory/1872-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/1872-17-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/1872-2-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/1872-1-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/2380-41-0x00000000012C0000-0x0000000001340000-memory.dmp

Filesize
512KB

Download
memory/2632-28-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2780-21-0x0000000000FD0000-0x0000000001050000-memory.dmp

Filesize
512KB

Download