dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 11 IoCs

rat

resource	yara_rule
behavioral1/memory/2092-1-0x0000000000A00000-0x0000000000A80000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0008000000016d47-11.dat	family_dcrat_v2
behavioral1/memory/2736-21-0x0000000000320000-0x00000000003A0000-memory.dmp	family_dcrat_v2
behavioral1/memory/2548-28-0x0000000000EB0000-0x0000000000F30000-memory.dmp	family_dcrat_v2
behavioral1/memory/2028-41-0x0000000001240000-0x00000000012C0000-memory.dmp	family_dcrat_v2
behavioral1/memory/2184-48-0x0000000001300000-0x0000000001380000-memory.dmp	family_dcrat_v2
behavioral1/memory/608-61-0x00000000001D0000-0x0000000000250000-memory.dmp	family_dcrat_v2
behavioral1/memory/268-68-0x0000000000850000-0x00000000008D0000-memory.dmp	family_dcrat_v2
behavioral1/memory/2912-75-0x0000000000880000-0x0000000000900000-memory.dmp	family_dcrat_v2
behavioral1/memory/2916-82-0x00000000008D0000-0x0000000000950000-memory.dmp	family_dcrat_v2
behavioral1/memory/2380-89-0x00000000011B0000-0x0000000001230000-memory.dmp	family_dcrat_v2

Executes dropped EXE 14 IoCs

pid	Process
2736	Idle.exe
2548	Idle.exe
2884	Idle.exe
2028	Idle.exe
2184	Idle.exe
752	Idle.exe
608	Idle.exe
268	Idle.exe
2912	Idle.exe
2916	Idle.exe
2380	Idle.exe
2016	Idle.exe
1504	Idle.exe
2364	Idle.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\taskhost.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\taskhost.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\b75386f1303e64	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6203df4a6bafc7	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\mui\0C0A\System.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Windows\Help\mui\0C0A\27d1bcfc3c54e0	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
File created	C:\Windows\schemas\EAPMethods\taskhost.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2348	PING.EXE
984	PING.EXE
2480	PING.EXE
2456	PING.EXE
1096	PING.EXE
1928	PING.EXE
2352	PING.EXE
1524	PING.EXE

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2480	PING.EXE
2456	PING.EXE
1096	PING.EXE
1928	PING.EXE
2352	PING.EXE
1524	PING.EXE
2348	PING.EXE
984	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
Token: SeDebugPrivilege	2736	Idle.exe
Token: SeDebugPrivilege	2548	Idle.exe
Token: SeDebugPrivilege	2884	Idle.exe
Token: SeDebugPrivilege	2028	Idle.exe
Token: SeDebugPrivilege	2184	Idle.exe
Token: SeDebugPrivilege	752	Idle.exe
Token: SeDebugPrivilege	608	Idle.exe
Token: SeDebugPrivilege	268	Idle.exe
Token: SeDebugPrivilege	2912	Idle.exe
Token: SeDebugPrivilege	2916	Idle.exe
Token: SeDebugPrivilege	2380	Idle.exe
Token: SeDebugPrivilege	2016	Idle.exe
Token: SeDebugPrivilege	1504	Idle.exe
Token: SeDebugPrivilege	2364	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2836	2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe	30
PID 2092 wrote to memory of 2836	2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe	30
PID 2092 wrote to memory of 2836	2092	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe	30
PID 2836 wrote to memory of 2824	2836	cmd.exe	32
PID 2836 wrote to memory of 2824	2836	cmd.exe	32
PID 2836 wrote to memory of 2824	2836	cmd.exe	32
PID 2836 wrote to memory of 2352	2836	cmd.exe	33
PID 2836 wrote to memory of 2352	2836	cmd.exe	33
PID 2836 wrote to memory of 2352	2836	cmd.exe	33
PID 2836 wrote to memory of 2736	2836	cmd.exe	34
PID 2836 wrote to memory of 2736	2836	cmd.exe	34
PID 2836 wrote to memory of 2736	2836	cmd.exe	34
PID 2736 wrote to memory of 2080	2736	Idle.exe	35
PID 2736 wrote to memory of 2080	2736	Idle.exe	35
PID 2736 wrote to memory of 2080	2736	Idle.exe	35
PID 2080 wrote to memory of 1232	2080	cmd.exe	37
PID 2080 wrote to memory of 1232	2080	cmd.exe	37
PID 2080 wrote to memory of 1232	2080	cmd.exe	37
PID 2080 wrote to memory of 1524	2080	cmd.exe	38
PID 2080 wrote to memory of 1524	2080	cmd.exe	38
PID 2080 wrote to memory of 1524	2080	cmd.exe	38
PID 2080 wrote to memory of 2548	2080	cmd.exe	39
PID 2080 wrote to memory of 2548	2080	cmd.exe	39
PID 2080 wrote to memory of 2548	2080	cmd.exe	39
PID 2548 wrote to memory of 2008	2548	Idle.exe	40
PID 2548 wrote to memory of 2008	2548	Idle.exe	40
PID 2548 wrote to memory of 2008	2548	Idle.exe	40
PID 2008 wrote to memory of 1100	2008	cmd.exe	42
PID 2008 wrote to memory of 1100	2008	cmd.exe	42
PID 2008 wrote to memory of 1100	2008	cmd.exe	42
PID 2008 wrote to memory of 2272	2008	cmd.exe	43
PID 2008 wrote to memory of 2272	2008	cmd.exe	43
PID 2008 wrote to memory of 2272	2008	cmd.exe	43
PID 2008 wrote to memory of 2884	2008	cmd.exe	44
PID 2008 wrote to memory of 2884	2008	cmd.exe	44
PID 2008 wrote to memory of 2884	2008	cmd.exe	44
PID 2884 wrote to memory of 1208	2884	Idle.exe	45
PID 2884 wrote to memory of 1208	2884	Idle.exe	45
PID 2884 wrote to memory of 1208	2884	Idle.exe	45
PID 1208 wrote to memory of 1300	1208	cmd.exe	47
PID 1208 wrote to memory of 1300	1208	cmd.exe	47
PID 1208 wrote to memory of 1300	1208	cmd.exe	47
PID 1208 wrote to memory of 1496	1208	cmd.exe	48
PID 1208 wrote to memory of 1496	1208	cmd.exe	48
PID 1208 wrote to memory of 1496	1208	cmd.exe	48
PID 1208 wrote to memory of 2028	1208	cmd.exe	49
PID 1208 wrote to memory of 2028	1208	cmd.exe	49
PID 1208 wrote to memory of 2028	1208	cmd.exe	49
PID 2028 wrote to memory of 2788	2028	Idle.exe	50
PID 2028 wrote to memory of 2788	2028	Idle.exe	50
PID 2028 wrote to memory of 2788	2028	Idle.exe	50
PID 2788 wrote to memory of 1812	2788	cmd.exe	52
PID 2788 wrote to memory of 1812	2788	cmd.exe	52
PID 2788 wrote to memory of 1812	2788	cmd.exe	52
PID 2788 wrote to memory of 2348	2788	cmd.exe	53
PID 2788 wrote to memory of 2348	2788	cmd.exe	53
PID 2788 wrote to memory of 2348	2788	cmd.exe	53
PID 2788 wrote to memory of 2184	2788	cmd.exe	54
PID 2788 wrote to memory of 2184	2788	cmd.exe	54
PID 2788 wrote to memory of 2184	2788	cmd.exe	54
PID 2184 wrote to memory of 1356	2184	Idle.exe	55
PID 2184 wrote to memory of 1356	2184	Idle.exe	55
PID 2184 wrote to memory of 1356	2184	Idle.exe	55
PID 1356 wrote to memory of 324	1356	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623_Sigmanly.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6AODpxyjbl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2824
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2352
- - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
    "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A3WMu9vzZU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1232
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O4lRoaYFUn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2272
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dvHErHhaAz.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1496
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2072
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RS33MjIUk5.bat"
        14⤵
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:984
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        16⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2104
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat"
        18⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2860
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8T8CYOm9qs.bat"
        20⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat"
        22⤵
        
        PID:864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3016
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WHqdBEPCKu.bat"
        24⤵
        
        PID:580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8QxsqD9vmb.bat"
        26⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1096
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat"
        28⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat

Filesize
185B

MD5
c728099adc5117118f5f2e50b443d127

SHA1
cca12ecac722c30d7144f9e52ebb074e612455d9

SHA256
992a0297bf29270017c8ef6ef8d83ee73b4dc6f93d2f7d9e3efd514767696a3c

SHA512
abb79f8e1a24a4cb5a9564a7e29e138bd64475993da0a7936779eb024f3cb24d6a690a84b52dff4efd5e6dfcdc10764bac414c868e8634b753b426608f894f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AODpxyjbl.bat

Filesize
185B

MD5
d48282cf89d5e98f68a55e541cfd5fd4

SHA1
ea9041492e3b6b50057497b76e3454e86ba42d94

SHA256
941ad4274803524bda2cb3094a56f85b753aa26bbe6861ccec950e4a23c84c0c

SHA512
53234e39b5fa5fb3c3d0e88f0beb9f77413122e4b0fe03f7a18bacefd4fb69e2ef5b71c97422f059db97a1f0a588942e35f3160375f4f3f40e99b76d2623369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8QxsqD9vmb.bat

Filesize
185B

MD5
2a9b6ff78f45975ce64c191f8a96a8c3

SHA1
65627244919595f5fe36a68356afa5f06520a470

SHA256
1fc29fa5d1705dd0090d5b6966f7bf4458913d6635d19d415886e0af9de65c12

SHA512
5290bd693eceae713523994b7a52dff835c7aba16a4ed907529a3adc21657a1aabea7a4855c924f422c3cba5c87420e6dc64274f0ef336113ccb669728a03c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\8T8CYOm9qs.bat

Filesize
185B

MD5
83687dac4e3b0798722acfd35746107c

SHA1
5ca441ba911cc13321cca955afcb4897b7d86693

SHA256
5f87db65c8dfa80dffeb181a38fe6f8b1cbccdd985c37e81a227c11598e0cd42

SHA512
3f1a4ac011f3bf412b656ec2cb74c2276135933c9d866ed07d3e520d4e67db77b0b59b6ad935fa5c0a57bcff83d060a3fb925e7bbe2b295ed9cae8249df6b9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3WMu9vzZU.bat

Filesize
185B

MD5
dc01346dabfd4839ed491fd282475cd4

SHA1
e79ff696cb9f159cc4b65b47399fb5c7f1f013bc

SHA256
8fe1835152b7e3f207f8c83675de3b9bd050533a3e0d586a3498ec788ea3e3e5

SHA512
017cc3b62002e41b6c8e1401a185ba65aa79501a39839ccb209f8e945c0d265ff6163f8e0006f76d4aede882cc808a2f3039bc3f2b79957475462afdd58fd261

Download Submit
C:\Users\Admin\AppData\Local\Temp\O4lRoaYFUn.bat

Filesize
233B

MD5
8e5f06470fb7bfce1ea7bf523abd6c2d

SHA1
e5ec52bfad2492a832e457d633e6a3838a18e35c

SHA256
9b6a4f3ee59fd1cc24c8c7fba7bddfa9ce7fb709f60bed1858c5123fb08caf57

SHA512
67d2f35c98b20e0cd56f0d4fc61428468a051c6306b29418bcecd2b418d473cb2931fba730d06e206c33d23795f55af750187b31dd7dfa30f7a191ff2e4644f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RS33MjIUk5.bat

Filesize
185B

MD5
12d000c02aadb0ae891c017e709b8622

SHA1
29148ab8fc8f6fd751d1974c2b862b779bdf4a83

SHA256
321fedd87b9bf6a906e5bcc1d7ea918e34583bdc3091791fedf60da3b25620c3

SHA512
64accf6e745f506792b832e2d0a3e5a6f240c34a47aeb87085525210d1acebc9cfcbe31609acc6c766686a7f83f48d9d1390afa9c4bcbb8fbf921907bc4002dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WHqdBEPCKu.bat

Filesize
185B

MD5
91b01d8cf51a8b336d92848133b18a2b

SHA1
5af67b241e7ed99b22db69bdc881f69ac631690c

SHA256
4eed4aa37cc86bb5be89abc13f7c56fb29d72339d8adf6f8d83c2bd8b82ba5d3

SHA512
a89b2a6407660775590ab9ea5087014eea88564a93ab2258cfef36f0caaf9cc0bac416f7ec5f7e5484da45b8fd8cfd7b59871a14fbad848bb5c5f913aad0ed46

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat

Filesize
233B

MD5
841aae931a478b0ae49c3eed03832156

SHA1
1b9e2fca73dfa1be4fe53a79766c3ee5040c556c

SHA256
858d8a17d6dc72447eb477073d3ffe5a2d4db8ee026123f95553316cd85691d9

SHA512
2541ffaa60e37182ba07e70f82f816eb85f61ff9830e09cd64af504441bbc6cf6b42fd2ab334c9fc8a76ea5a7f50509860163caf4f6d7a19f66c8a5e77a608c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvHErHhaAz.bat

Filesize
233B

MD5
f203dee359dfbcc51949129554d9184e

SHA1
68c0565a37432670fafe44b90caec8f8313fc2a3

SHA256
c91db73fb104c5408cb82e35fdbdc8dbbe4610a449b9e53077b49fa4711c7945

SHA512
a1ca1091afa36a796d5b07cca31811f497aff66f55d269041b19e4fb83de550b8ba150bd0cd0f01bd59e167db05398dfd9f794f8793c40ff99fd71c1e5fabf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat

Filesize
233B

MD5
aecf4b804ccf9d69b83511c5d8970105

SHA1
46e896a2c0b74a6847ed7203a8a6cae2c82629c2

SHA256
0eec4e33268c171b908159d9bf25245633d89bc4bc9209e27e840be94fe5e881

SHA512
dc7b86e0e40995921f4ddc8967d45dbd7aea108dac2b773a9c77c10422a8a157e23529f19d17d5c2336954d9d05c5e263f6e0ed6e9901f87856e266c5773c5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat

Filesize
233B

MD5
8d3a63fdaaff0972fccee44c3055704a

SHA1
2d353ef2f6313b281c1d594de13a9d579c798001

SHA256
ff21d63b0c1f402ef3df5011c3f3d546e94cb72b766f9ab7b2db66bef075bc46

SHA512
be1e5cb5c6552e06d2a797e5fd2aff534d44831833f735d1fcc33d5573347f056042e1e011e958e6b159574d04e2bc5d0e354f7b079c3a80a7f922c57bf09e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat

Filesize
233B

MD5
f5d8d0990dc573a2c8538c935b2893d8

SHA1
d713764c197f806962c7bc4e53b0c6ce7a1112e5

SHA256
ed6b30423aea5ef993be7fbd83a8d5a32a22238af20d9c27bb1685f5721d42e0

SHA512
dbbe3826d9dbe4185f12d64019266ae4c7787f431c26b1be7f3d030e2640ae27f438741f063d5cf2c27eccda55619f22ad198d337436d6da91063c25130c1dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat

Filesize
185B

MD5
a9702b7e9646c926a9fa80d51e332a8c

SHA1
972191c8db676c75fea1f1a4278f2633c8599595

SHA256
247278b39712c2a0284dbb073c8e245c38a45b20db8d5bba3f0374b5bdc1d481

SHA512
cac82502f0534aa5e9d3a54211f700c434c7bcaa86d0a864e5cc3f5d2b34e4f410ebf1448e8d12e23300d9cb842d12c71e87f64de8e679589e178943100ab234

Download Submit
memory/268-68-0x0000000000850000-0x00000000008D0000-memory.dmp

Filesize
512KB

Download
memory/608-61-0x00000000001D0000-0x0000000000250000-memory.dmp

Filesize
512KB

Download
memory/2028-41-0x0000000001240000-0x00000000012C0000-memory.dmp

Filesize
512KB

Download
memory/2092-17-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2092-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-1-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/2184-48-0x0000000001300000-0x0000000001380000-memory.dmp

Filesize
512KB

Download
memory/2380-89-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/2548-28-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/2736-21-0x0000000000320000-0x00000000003A0000-memory.dmp

Filesize
512KB

Download
memory/2912-75-0x0000000000880000-0x0000000000900000-memory.dmp

Filesize
512KB

Download
memory/2916-82-0x00000000008D0000-0x0000000000950000-memory.dmp

Filesize
512KB

Download