dcrat | f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67EFB6282221428E7FF63B87DF2F6522.exe
Size

3.5MB
MD5

67efb6282221428e7ff63b87df2f6522
SHA1

d358efb4f979b90c159b505d374f475253d04367
SHA256

f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815
SHA512

00443a9f7dda6d9d75d5ad39a802d66e26acb1f2f619462befbe82ac12c9ab47b5d02c6a721dea552d1bc498976ac11b4a6452f5bcfc887392abde49ff6f96f2
SSDEEP

98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	67EFB6282221428E7FF63B87DF2F6522.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 15 IoCs

pid	Process
1544	fontdrvhost.exe
3624	fontdrvhost.exe
5116	fontdrvhost.exe
3604	fontdrvhost.exe
1184	fontdrvhost.exe
228	fontdrvhost.exe
2344	fontdrvhost.exe
2424	fontdrvhost.exe
3904	fontdrvhost.exe
2844	fontdrvhost.exe
1424	fontdrvhost.exe
2196	fontdrvhost.exe
3616	fontdrvhost.exe
4952	fontdrvhost.exe
4796	fontdrvhost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\smss.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Program Files\VideoLAN\69ddcba757bf72	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\7a0fd90576e088	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Program Files\Windows Defender\it-IT\unsecapp.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Program Files\Windows Defender\it-IT\29c1c3cc0f7685	67EFB6282221428E7FF63B87DF2F6522.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\pris\fontdrvhost.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File opened for modification	C:\Windows\PrintDialog\pris\fontdrvhost.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Windows\PrintDialog\pris\5b884080fd4f94	67EFB6282221428E7FF63B87DF2F6522.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2372	PING.EXE
4124	PING.EXE
548	PING.EXE
2928	PING.EXE
5104	PING.EXE
1372	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	67EFB6282221428E7FF63B87DF2F6522.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1372	PING.EXE
2372	PING.EXE
4124	PING.EXE
548	PING.EXE
2928	PING.EXE
5104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe
116	67EFB6282221428E7FF63B87DF2F6522.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	1544	fontdrvhost.exe
Token: SeDebugPrivilege	3624	fontdrvhost.exe
Token: SeDebugPrivilege	5116	fontdrvhost.exe
Token: SeDebugPrivilege	3604	fontdrvhost.exe
Token: SeDebugPrivilege	1184	fontdrvhost.exe
Token: SeDebugPrivilege	228	fontdrvhost.exe
Token: SeDebugPrivilege	2344	fontdrvhost.exe
Token: SeDebugPrivilege	2424	fontdrvhost.exe
Token: SeDebugPrivilege	3904	fontdrvhost.exe
Token: SeDebugPrivilege	2844	fontdrvhost.exe
Token: SeDebugPrivilege	1424	fontdrvhost.exe
Token: SeDebugPrivilege	2196	fontdrvhost.exe
Token: SeDebugPrivilege	3616	fontdrvhost.exe
Token: SeDebugPrivilege	4952	fontdrvhost.exe
Token: SeDebugPrivilege	4796	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1924	116	67EFB6282221428E7FF63B87DF2F6522.exe	82
PID 116 wrote to memory of 1924	116	67EFB6282221428E7FF63B87DF2F6522.exe	82
PID 1924 wrote to memory of 4616	1924	cmd.exe	84
PID 1924 wrote to memory of 4616	1924	cmd.exe	84
PID 1924 wrote to memory of 2372	1924	cmd.exe	85
PID 1924 wrote to memory of 2372	1924	cmd.exe	85
PID 1924 wrote to memory of 1544	1924	cmd.exe	90
PID 1924 wrote to memory of 1544	1924	cmd.exe	90
PID 1544 wrote to memory of 3780	1544	fontdrvhost.exe	93
PID 1544 wrote to memory of 3780	1544	fontdrvhost.exe	93
PID 3780 wrote to memory of 5024	3780	cmd.exe	95
PID 3780 wrote to memory of 5024	3780	cmd.exe	95
PID 3780 wrote to memory of 3608	3780	cmd.exe	97
PID 3780 wrote to memory of 3608	3780	cmd.exe	97
PID 3780 wrote to memory of 3624	3780	cmd.exe	98
PID 3780 wrote to memory of 3624	3780	cmd.exe	98
PID 3624 wrote to memory of 4648	3624	fontdrvhost.exe	99
PID 3624 wrote to memory of 4648	3624	fontdrvhost.exe	99
PID 4648 wrote to memory of 532	4648	cmd.exe	101
PID 4648 wrote to memory of 532	4648	cmd.exe	101
PID 4648 wrote to memory of 4076	4648	cmd.exe	102
PID 4648 wrote to memory of 4076	4648	cmd.exe	102
PID 4648 wrote to memory of 5116	4648	cmd.exe	104
PID 4648 wrote to memory of 5116	4648	cmd.exe	104
PID 5116 wrote to memory of 1460	5116	fontdrvhost.exe	105
PID 5116 wrote to memory of 1460	5116	fontdrvhost.exe	105
PID 1460 wrote to memory of 5092	1460	cmd.exe	107
PID 1460 wrote to memory of 5092	1460	cmd.exe	107
PID 1460 wrote to memory of 3992	1460	cmd.exe	108
PID 1460 wrote to memory of 3992	1460	cmd.exe	108
PID 1460 wrote to memory of 3604	1460	cmd.exe	109
PID 1460 wrote to memory of 3604	1460	cmd.exe	109
PID 3604 wrote to memory of 116	3604	fontdrvhost.exe	111
PID 3604 wrote to memory of 116	3604	fontdrvhost.exe	111
PID 116 wrote to memory of 2072	116	cmd.exe	113
PID 116 wrote to memory of 2072	116	cmd.exe	113
PID 116 wrote to memory of 4124	116	cmd.exe	114
PID 116 wrote to memory of 4124	116	cmd.exe	114
PID 116 wrote to memory of 1184	116	cmd.exe	115
PID 116 wrote to memory of 1184	116	cmd.exe	115
PID 1184 wrote to memory of 2336	1184	fontdrvhost.exe	116
PID 1184 wrote to memory of 2336	1184	fontdrvhost.exe	116
PID 2336 wrote to memory of 460	2336	cmd.exe	118
PID 2336 wrote to memory of 460	2336	cmd.exe	118
PID 2336 wrote to memory of 3620	2336	cmd.exe	119
PID 2336 wrote to memory of 3620	2336	cmd.exe	119
PID 2336 wrote to memory of 228	2336	cmd.exe	120
PID 2336 wrote to memory of 228	2336	cmd.exe	120
PID 228 wrote to memory of 3360	228	fontdrvhost.exe	121
PID 228 wrote to memory of 3360	228	fontdrvhost.exe	121
PID 3360 wrote to memory of 1672	3360	cmd.exe	123
PID 3360 wrote to memory of 1672	3360	cmd.exe	123
PID 3360 wrote to memory of 548	3360	cmd.exe	124
PID 3360 wrote to memory of 548	3360	cmd.exe	124
PID 3360 wrote to memory of 2344	3360	cmd.exe	125
PID 3360 wrote to memory of 2344	3360	cmd.exe	125
PID 2344 wrote to memory of 2032	2344	fontdrvhost.exe	126
PID 2344 wrote to memory of 2032	2344	fontdrvhost.exe	126
PID 2032 wrote to memory of 868	2032	cmd.exe	128
PID 2032 wrote to memory of 868	2032	cmd.exe	128
PID 2032 wrote to memory of 3436	2032	cmd.exe	129
PID 2032 wrote to memory of 3436	2032	cmd.exe	129
PID 2032 wrote to memory of 2424	2032	cmd.exe	130
PID 2032 wrote to memory of 2424	2032	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
"C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KlGzMwvi58.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4616
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2372
- - C:\Windows\PrintDialog\pris\fontdrvhost.exe
    "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5024
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3608
    - - C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JIL9xxMC8B.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4076
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3992
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4124
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3620
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3436
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat"
        18⤵
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3448
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat"
        20⤵
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat"
        22⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4908
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"
        24⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1396
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        26⤵
        
        PID:4180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5104
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"
        28⤵
        
        PID:3448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1372
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat"
        30⤵
        
        PID:1368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4008
        
        C:\Windows\PrintDialog\pris\fontdrvhost.exe
        
        "C:\Windows\PrintDialog\pris\fontdrvhost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe

Filesize
3.5MB

MD5
67efb6282221428e7ff63b87df2f6522

SHA1
d358efb4f979b90c159b505d374f475253d04367

SHA256
f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815

SHA512
00443a9f7dda6d9d75d5ad39a802d66e26acb1f2f619462befbe82ac12c9ab47b5d02c6a721dea552d1bc498976ac11b4a6452f5bcfc887392abde49ff6f96f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LXAY36iRv.bat

Filesize
171B

MD5
1fefc1e893f604835045f0946387bd2a

SHA1
797cf601d0a65365ef2ea6bb0f61ab11426f3ed2

SHA256
1737202d8d165070c2815301c3291e569af40e3c6f135628aea836d5792b2412

SHA512
a3423989e21e451a87e8a99f388e02ad7f05cb32b885c3694e6646ee8da2c7a8b62a421e7a0fb26695ea2dcdc5b2182664756544eb3d3eeecb2bc60d9a270caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat

Filesize
171B

MD5
a9af92a39bacf35579a6cddfa31f115f

SHA1
fda14febfb4f4bf6cb5fe650d7bf40696834dca5

SHA256
16a0934c9204df4c183a0cfe8725be3eecd67e830adb47a1fd81de8b9cb5c14a

SHA512
61b2df3bd6b4a13f7e996dff178edd4ca5ef95478fdcd3ee6a1397d6572767ce728c93d0093ab92138948cc6b0fdec7fd778c9c00973009d0e293539064f4587

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIL9xxMC8B.bat

Filesize
219B

MD5
232287e6662e7d052e3b21c289998e94

SHA1
5028c4ec1bf2259cdfc60e3f90dbd01136de8f9e

SHA256
c45b80c116381b6826b7fbde9abe20b82af68ba3bfa50268fb4c98d1432d928c

SHA512
aadc54a3a0b5749cee08448ac64fd80337d8d2d097e14b899feace45e5221ffb5c80b16dba0be7f9c35921a27e991e0e6fbefaa094c9101b5d01e8b9dc0b8bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat

Filesize
219B

MD5
bf4016533650b9da7997c57eeec7559f

SHA1
ffdefca7bee510116560ed61b466d3901151676f

SHA256
832986b79a3633195eb0d12b623bf5d75b55319453c21ee5565f2dee9dd4668f

SHA512
fb60a69ddd19c9086206b278f49a1d007b1d9b1c7b2e311318543ffe3a1f32a3779ac4d3a4bd5497ea524993e3c3039ab1328d292d5ef769c3941f216d9d50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat

Filesize
219B

MD5
ce150aa27340d737354f84d5791b299f

SHA1
a148665032f0912913e1342291931d2414e805e7

SHA256
e2a4abcc7a22d735b4e19e2048fce240a65ccd3c903aa26c71dc08e0ad2e4b10

SHA512
859c33f91d8dcdbcd885749d7e88eb91ef8847172085c127e0e3af19a36a37fd54f8594a01faf836f205337e4848dbbcc53224f8c2cc9c3854caa1bca5c0d7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KlGzMwvi58.bat

Filesize
171B

MD5
8c57e71e6d591c93f5c71c59effe05b3

SHA1
439616198b2a948dca9cf7a38293baeca7e4db3e

SHA256
e0cb7eaebacd24e51a749d7bbd41926fa567bc20afb2f763f9bd75eb3a1c19d5

SHA512
6502e669e84b520d302697eea9f0845a342682934c7527bad7798536b3971767e52764bd3d8cbc6cd93eb7e023005d790d0c894115cdb3d6ff0398b4d39d9103

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

Filesize
219B

MD5
e3609de11ef59ca733909aeef0f8faa8

SHA1
f50cf30ec0944346315785029b24077095eed29a

SHA256
c149023301346a65c3c6c30c810b14ee9620c19083256ed053fd19dbf851e042

SHA512
847faef386697aaa74f63ea4d972adfc8a4d065c24dc6af562f07cd664515da62a1cfaf4b3f366c26c95cdb65fcf65da3facece631ec17a54ab67953d28b3969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat

Filesize
219B

MD5
f7e257ccf87aa5d170fa80283d7860b1

SHA1
20d5adde9a18fae9cf0fe866c38a9b8a99d3f9aa

SHA256
764b4b85c380d27d2cd03bd7292275a88048e5306cbc7f940f9f50fd966c32a9

SHA512
cbe1dfc04a6fbd1d168ca6108603ab3adf651ae8117bb8b248e1102d68a7c39bd75e32f91baae71567a64a8e37fe081881ba4fa7b30c4c347933211fdfb4d84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat

Filesize
219B

MD5
a64553b95f7ac25d71608fa4fbc664e5

SHA1
8e92673eea3c6f21b4fa08fe95a45bc8019a447b

SHA256
bf0dd23567613743e831066cf560b7a762045f59100872eb00fd264b388b9ac5

SHA512
a9ff57a73c22b3d95e794eca5c2d7584f97a29b5557914d1909767e8f8e1568e64dd532189727b21e2fb956877c009e38f9863d8f13998e0a91c249320fdd46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat

Filesize
219B

MD5
af498f53b17453ee0cbc1a576b43519d

SHA1
df8436b439767682238fbcc1d2b5ec0becd03fc9

SHA256
eb843c7b6267ea2e59ca148208e33c77ce39ad394f25cd50390a7b54e369cb38

SHA512
8fad91f93916402c62c907ee3b4360eb72d0563bce31ccb38ac5504da4cb00ffd8f896a594dbfc01db074b0755e6e7106c00ba06e5b99aaf94554c6f67907a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat

Filesize
171B

MD5
6c9ad8807524ecffcd0d574018b9f7be

SHA1
f797b8cad92bee34f02e1c34d907825389545dcf

SHA256
5ac326bb5fc3345780c43e8e94f5101beb9eb9a97964ddc2ce86551f3e644b7e

SHA512
e23d1532f026e84adfb11667c95c58f0bf6af0c695323164acf858b5d3ae0978105ae98e320058ef00a507399cb9722d007cfde5703e206efbd020b1ad36de07

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat

Filesize
219B

MD5
1ccda952c4aa510a16f93b388efd3765

SHA1
3fe3fc447fe52840c8c967914ba4677f51819940

SHA256
5886110c763630f5f2b90e0d43bbfe404a114459c462b1afe73aae4030c98677

SHA512
2a17273f3a68515d5d14f667098b969fe1260d30897a396a950271301ba6e40f2966de42bf4c85e4dee24b0b9f55d6f252a09669d7dd9e169e470ae33e7d9c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
171B

MD5
8fafeb433221f7db6e25c7f9eb3ca9c9

SHA1
f5f9f14b0040b09015e9a180f98b4fc2965ccc4e

SHA256
3de2563f7d955d68c28066f46ca0ea0e152f9b3dab482075d6c45ce76fa38979

SHA512
1155728652e1cf97cafe910c7a299379b48ba7ea74f7a49f499c558a47912021f466fdb67c7cbc5994258194153fcd717eb6c061b8814abbeae3f623021fe5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat

Filesize
219B

MD5
c4120be5bbb435f357ab4d4bd2a8148d

SHA1
e6e22877de6a6d6391c4d222f285a1e6eee03486

SHA256
9722828a9467e392123728a97e2215e992a583221c51ce2b47c54c77ab06fa31

SHA512
dd4bdc100ea9b0b853a33d9a9b23ba187f7308d4c2a7c2637a43cd8cd8d6663cf8f97a3cefdd3007e57f20566faa24b2b0a53ac99690e7b6b97a15cc25d0dec7

Download Submit
memory/116-24-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download
memory/116-17-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-26-0x000000001B190000-0x000000001B19E000-memory.dmp

Filesize
56KB

Download
memory/116-29-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-32-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-31-0x000000001B240000-0x000000001B256000-memory.dmp

Filesize
88KB

Download
memory/116-34-0x000000001B780000-0x000000001B792000-memory.dmp

Filesize
72KB

Download
memory/116-28-0x000000001B220000-0x000000001B232000-memory.dmp

Filesize
72KB

Download
memory/116-35-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-37-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

Filesize
5.2MB

Download
memory/116-36-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-41-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/116-39-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

Filesize
56KB

Download
memory/116-43-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/116-45-0x000000001B800000-0x000000001B85A000-memory.dmp

Filesize
360KB

Download
memory/116-47-0x000000001B7A0000-0x000000001B7AE000-memory.dmp

Filesize
56KB

Download
memory/116-49-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/116-51-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

Filesize
56KB

Download
memory/116-53-0x000000001B860000-0x000000001B878000-memory.dmp

Filesize
96KB

Download
memory/116-55-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/116-57-0x000000001B8D0000-0x000000001B91E000-memory.dmp

Filesize
312KB

Download
memory/116-22-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/116-75-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-20-0x000000001B170000-0x000000001B188000-memory.dmp

Filesize
96KB

Download
memory/116-1-0x0000000000260000-0x00000000005E4000-memory.dmp

Filesize
3.5MB

Download
memory/116-15-0x000000001B1D0000-0x000000001B220000-memory.dmp

Filesize
320KB

Download
memory/116-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/116-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-18-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/116-3-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-14-0x000000001B150000-0x000000001B16C000-memory.dmp

Filesize
112KB

Download
memory/116-4-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-10-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-6-0x000000001B120000-0x000000001B146000-memory.dmp

Filesize
152KB

Download
memory/116-12-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/116-7-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-9-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/116-8-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/228-246-0x000000001CC90000-0x000000001CCFB000-memory.dmp

Filesize
428KB

Download
memory/1184-218-0x000000001CE00000-0x000000001CE6B000-memory.dmp

Filesize
428KB

Download
memory/1424-386-0x000000001D490000-0x000000001D4FB000-memory.dmp

Filesize
428KB

Download
memory/1544-105-0x000000001CCA0000-0x000000001CD0B000-memory.dmp

Filesize
428KB

Download
memory/2196-414-0x000000001D3A0000-0x000000001D40B000-memory.dmp

Filesize
428KB

Download
memory/2344-274-0x000000001CCB0000-0x000000001CD1B000-memory.dmp

Filesize
428KB

Download
memory/2424-302-0x000000001CC90000-0x000000001CCFB000-memory.dmp

Filesize
428KB

Download
memory/2844-358-0x000000001C980000-0x000000001C9EB000-memory.dmp

Filesize
428KB

Download
memory/3604-190-0x000000001D0D0000-0x000000001D13B000-memory.dmp

Filesize
428KB

Download
memory/3616-442-0x000000001CE70000-0x000000001CEDB000-memory.dmp

Filesize
428KB

Download
memory/3624-134-0x000000001D830000-0x000000001D89B000-memory.dmp

Filesize
428KB

Download
memory/3904-330-0x000000001CD70000-0x000000001CDDB000-memory.dmp

Filesize
428KB

Download
memory/4952-470-0x000000001CF70000-0x000000001CFDB000-memory.dmp

Filesize
428KB

Download
memory/5116-162-0x000000001CE50000-0x000000001CEBB000-memory.dmp

Filesize
428KB

Download