dcrat | ee74fda651ba5f44ead1cb6e3971f9f876b2ffacc49a16cc44ce402067421eb5

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/5036-1-0x0000000000300000-0x0000000000380000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0007000000023ca7-10.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 20 IoCs

pid	Process
1984	csrss.exe
4252	csrss.exe
4508	csrss.exe
4332	csrss.exe
4824	csrss.exe
3580	csrss.exe
436	csrss.exe
4036	csrss.exe
4916	csrss.exe
3828	csrss.exe
1340	csrss.exe
856	csrss.exe
1544	csrss.exe
1720	csrss.exe
4036	csrss.exe
216	csrss.exe
4428	csrss.exe
4780	csrss.exe
1800	csrss.exe
2480	csrss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\debug\69ddcba757bf72	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Windows\Logs\NetSetup\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File opened for modification	C:\Windows\Logs\NetSetup\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Windows\Logs\NetSetup\7184e5930ed954	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
File created	C:\Windows\debug\smss.exe	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1656	PING.EXE
3184	PING.EXE
2120	PING.EXE
1540	PING.EXE
2068	PING.EXE
1796	PING.EXE
3396	PING.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2120	PING.EXE
1540	PING.EXE
2068	PING.EXE
1796	PING.EXE
3396	PING.EXE
1656	PING.EXE
3184	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
Token: SeDebugPrivilege	1984	csrss.exe
Token: SeDebugPrivilege	4252	csrss.exe
Token: SeDebugPrivilege	4508	csrss.exe
Token: SeDebugPrivilege	4332	csrss.exe
Token: SeDebugPrivilege	4824	csrss.exe
Token: SeDebugPrivilege	3580	csrss.exe
Token: SeDebugPrivilege	436	csrss.exe
Token: SeDebugPrivilege	4036	csrss.exe
Token: SeDebugPrivilege	4916	csrss.exe
Token: SeDebugPrivilege	3828	csrss.exe
Token: SeDebugPrivilege	1340	csrss.exe
Token: SeDebugPrivilege	856	csrss.exe
Token: SeDebugPrivilege	1544	csrss.exe
Token: SeDebugPrivilege	1720	csrss.exe
Token: SeDebugPrivilege	4036	csrss.exe
Token: SeDebugPrivilege	216	csrss.exe
Token: SeDebugPrivilege	4428	csrss.exe
Token: SeDebugPrivilege	4780	csrss.exe
Token: SeDebugPrivilege	1800	csrss.exe
Token: SeDebugPrivilege	2480	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4164	5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	83
PID 5036 wrote to memory of 4164	5036	9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe	83
PID 4164 wrote to memory of 2364	4164	cmd.exe	85
PID 4164 wrote to memory of 2364	4164	cmd.exe	85
PID 4164 wrote to memory of 116	4164	cmd.exe	86
PID 4164 wrote to memory of 116	4164	cmd.exe	86
PID 4164 wrote to memory of 1984	4164	cmd.exe	87
PID 4164 wrote to memory of 1984	4164	cmd.exe	87
PID 1984 wrote to memory of 3200	1984	csrss.exe	88
PID 1984 wrote to memory of 3200	1984	csrss.exe	88
PID 3200 wrote to memory of 3896	3200	cmd.exe	90
PID 3200 wrote to memory of 3896	3200	cmd.exe	90
PID 3200 wrote to memory of 3456	3200	cmd.exe	91
PID 3200 wrote to memory of 3456	3200	cmd.exe	91
PID 3200 wrote to memory of 4252	3200	cmd.exe	101
PID 3200 wrote to memory of 4252	3200	cmd.exe	101
PID 4252 wrote to memory of 5112	4252	csrss.exe	102
PID 4252 wrote to memory of 5112	4252	csrss.exe	102
PID 5112 wrote to memory of 5024	5112	cmd.exe	104
PID 5112 wrote to memory of 5024	5112	cmd.exe	104
PID 5112 wrote to memory of 3184	5112	cmd.exe	105
PID 5112 wrote to memory of 3184	5112	cmd.exe	105
PID 5112 wrote to memory of 4508	5112	cmd.exe	111
PID 5112 wrote to memory of 4508	5112	cmd.exe	111
PID 4508 wrote to memory of 1404	4508	csrss.exe	112
PID 4508 wrote to memory of 1404	4508	csrss.exe	112
PID 1404 wrote to memory of 748	1404	cmd.exe	114
PID 1404 wrote to memory of 748	1404	cmd.exe	114
PID 1404 wrote to memory of 836	1404	cmd.exe	115
PID 1404 wrote to memory of 836	1404	cmd.exe	115
PID 1404 wrote to memory of 4332	1404	cmd.exe	117
PID 1404 wrote to memory of 4332	1404	cmd.exe	117
PID 4332 wrote to memory of 1028	4332	csrss.exe	118
PID 4332 wrote to memory of 1028	4332	csrss.exe	118
PID 1028 wrote to memory of 2920	1028	cmd.exe	120
PID 1028 wrote to memory of 2920	1028	cmd.exe	120
PID 1028 wrote to memory of 1652	1028	cmd.exe	121
PID 1028 wrote to memory of 1652	1028	cmd.exe	121
PID 1028 wrote to memory of 4824	1028	cmd.exe	126
PID 1028 wrote to memory of 4824	1028	cmd.exe	126
PID 4824 wrote to memory of 1960	4824	csrss.exe	127
PID 4824 wrote to memory of 1960	4824	csrss.exe	127
PID 1960 wrote to memory of 4956	1960	cmd.exe	129
PID 1960 wrote to memory of 4956	1960	cmd.exe	129
PID 1960 wrote to memory of 2120	1960	cmd.exe	130
PID 1960 wrote to memory of 2120	1960	cmd.exe	130
PID 1960 wrote to memory of 3580	1960	cmd.exe	132
PID 1960 wrote to memory of 3580	1960	cmd.exe	132
PID 3580 wrote to memory of 3160	3580	csrss.exe	133
PID 3580 wrote to memory of 3160	3580	csrss.exe	133
PID 3160 wrote to memory of 4860	3160	cmd.exe	135
PID 3160 wrote to memory of 4860	3160	cmd.exe	135
PID 3160 wrote to memory of 3876	3160	cmd.exe	136
PID 3160 wrote to memory of 3876	3160	cmd.exe	136
PID 3160 wrote to memory of 436	3160	cmd.exe	138
PID 3160 wrote to memory of 436	3160	cmd.exe	138
PID 436 wrote to memory of 4808	436	csrss.exe	139
PID 436 wrote to memory of 4808	436	csrss.exe	139
PID 4808 wrote to memory of 1052	4808	cmd.exe	141
PID 4808 wrote to memory of 1052	4808	cmd.exe	141
PID 4808 wrote to memory of 4252	4808	cmd.exe	142
PID 4808 wrote to memory of 4252	4808	cmd.exe	142
PID 4808 wrote to memory of 4036	4808	cmd.exe	144
PID 4808 wrote to memory of 4036	4808	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe
"C:\Users\Admin\AppData\Local\Temp\9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T9PurVTpj2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:116
- - C:\Recovery\WindowsRE\csrss.exe
    "C:\Recovery\WindowsRE\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3896
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3456
    - - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dpubRuS73Q.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:836
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1652
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMGLSOSPfa.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3876
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DzTa8uEoqo.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4252
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat"
        18⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5020
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat"
        20⤵
        
        PID:3168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3396
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y6Uf3masa9.bat"
        22⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4940
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4tBkEffHSx.bat"
        24⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        26⤵
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat"
        28⤵
        
        PID:3456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4836
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\szcAPjpm25.bat"
        30⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jfRlwY95Mq.bat"
        32⤵
        
        PID:4572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2864
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FT8q7RDVDe.bat"
        34⤵
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3396
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RvL1cycbdY.bat"
        36⤵
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4720
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hCmUx29Oy0.bat"
        38⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:4876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y6Uf3masa9.bat"
        40⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:872
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
0f31e501ab247a1b471e8e69930fda3d

SHA1
cc4a26314aad742126f6df0e92b777a786eade0b

SHA256
f6562e9acf0bb58a78a8ad59d5bc88bdf7a2508b84745605dfc28a19f60e4742

SHA512
65c14701fa94622aca52146b0f2d501ac2acdd4acd2a4c666903a800f26310832404a66478f861dd9b10a0a74d99e2b683fb73aef5d153b7ac26aabb96cfea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tBkEffHSx.bat

Filesize
159B

MD5
23a46627ae70bc9866d1fcbe9aef50fd

SHA1
254d4cbfefd1278e01b45ff62a59e38ac7f0afab

SHA256
29725a0347301c9de9549ea1c6c6f923c4ffee552c93881ac5d041bea09c415d

SHA512
2d71fcd9a8fc486c413d74e24fa7a7298ca96d41b461f682bc7482599d1fc40e4bab7404d25d52485744d78defbcaa54d7abc17952816f5d709a2d4907e2e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat

Filesize
159B

MD5
5488ddbc83e39d43ff0b59c6ccd05d23

SHA1
20d5a8a02dc157dae98fd3bcc8be4989667fbb44

SHA256
5b85efefa2f11b8e084b57e6b5908d64e872139e60c1b9a98c2be2fb7e3ebcac

SHA512
2864bfe1bae4bffc2c1a711f8fbc3b4b3baa11952d80ae6c9ef3bb6be53e7ad97cbdb055d5df04d5e1c259b1725a463c8eb5ed2433565b7670a4bca3762ce5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat

Filesize
159B

MD5
a25d3225245f5511db2e12d379cd3e38

SHA1
5f528d32a4025d6e5ea7264c7b1447c2cde69ab1

SHA256
ab120112ac50a9f6d854c41d678f745fc23966759b9a6b97fc0fe9d78c17e19d

SHA512
7f0f848202d79c75cbb2ced4770a7091f0631202f654ec2b7cdf73f37b183d7f56a3b4faca7a7327722ff6a1e52f48d1e19e0a453694539a1352b0bc5eece7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DzTa8uEoqo.bat

Filesize
207B

MD5
cd300fb06bb706052ae006c2cc838673

SHA1
b937aa8512aab7c9394c4636a89ca5991ae7b0bc

SHA256
31db75fdd789806aede4cd54125c0784ef64863b4d1c96a8e090d798ed593bca

SHA512
fccd61dafa1c6025861facbec1ebe3c94334fc883976df92cf7c3a47ee83cbe1fc0fcf49823a16b4ccaa21ebc921c6fb937061b418ceeaf6fe03237f7aa65822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat

Filesize
207B

MD5
015f3d8d8ef40c81fb187a2ccd90910c

SHA1
d4c548f143330accacb0d805d66dfe1f0104bdd6

SHA256
f44e273f650af60d49269dc46f53869cbfec6b054cd90bb6fc12105ff63ee8cc

SHA512
74e63eae8b89b307c3d2fc8177258958d1ec1e7579a2c8d82406c4bdc0cf6401ff0c2244318f93b782b7c39230061e933ea909d47347588054085324147e4121

Download Submit
C:\Users\Admin\AppData\Local\Temp\RvL1cycbdY.bat

Filesize
207B

MD5
29cce6e362fe6858acd8365f148b7504

SHA1
89fde6dc9f390b2ecc3253a20cc6b6c12b741d8c

SHA256
fcac7c95ff0a8d03fb92162c572b41fe5f2e7661387ed2d3a58bd73d335fd664

SHA512
f5aea5337986bf4b8e8d2cbe00e021013be01868b7e14f4dd823d4603bbfc4cc0c3890f9a6a6fe425cf3828ae0b63be449b1cf61d497346a00dbd0261a84d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\T9PurVTpj2.bat

Filesize
207B

MD5
f63e97efe7f5891750421e0d10ec93d9

SHA1
f1bbb3ae5d6ae5ddc1537db6b0fb25f1b50b7b53

SHA256
7c7068f564ab84ea761c241d8aab74f5c2115e4c5b2dfae8be04eb7e86fdc71b

SHA512
5e2bf8563854c7f8a9c8bc64a35d3dccf933b4745a560d80d899c3d8229b7d2b188c66fbe45b1fd6724259ae9b002132988ec53edd296db54c578d3d1284f33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat

Filesize
207B

MD5
1c9b0d9e95639aeeb2542b80985b594b

SHA1
de92cef39eb22f3af32291112f68b85848821587

SHA256
7fb14e3cff1933d1922b251860785dd4610839760a52a2d7d29fad4730cc015b

SHA512
671ae9ca8bee388badba7a005e1abf943e9031b833ed7488d287b73f7a953f12a2d20f1adfac399499e68df8a928fa894bc6c429b3c7f5446e94293c9a8cd3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y6Uf3masa9.bat

Filesize
207B

MD5
f8ecb8883d87636325f59023460f10db

SHA1
6987a36bf9242d455a14e9224d16fadee4bb82cb

SHA256
dbef3ac57ab51a57fda09c9a15be2f9e326207c31222cec35300ff8845169909

SHA512
c384159553d67ffb09d8e957d280b91fbc1426aff88fd9b847171d364a3968d71f49553ff9190538fa71b98d470cb9a69e93e38349827f4c9feebe2e19f4b8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMGLSOSPfa.bat

Filesize
207B

MD5
9d46c98a9dd416067c3a92b56a9a8a83

SHA1
9b31b2bdb8a6d0cb448268f32fd4a55a7cb0385d

SHA256
39e5eb16612496eed109b2390e849af0717319707f23f7d97a42d6e60b146a02

SHA512
5b25252a4e33f8c0c71f99ca37ad6848ebe881130c05daf8bddbed5c28b236fda22126f0dd0eabc452c856048b513c0fac265231c74af97f5fc728abddb6eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpubRuS73Q.bat

Filesize
207B

MD5
9624a6de07583a5c9d4503c8bec6122e

SHA1
6696d448416772d40ac25ab83f78087d25874375

SHA256
0b9a27276f626e04f41d989cd4d66ac5f8bbd27d6ef30bb88a21e07d310b2887

SHA512
f1ebe9986b9aad000456fdd1865f0e80a57f4c8c02d72f93cd07d148e22935635db0cb87c55dd78d8f3a3209d866cb9425b0936cffa2f3cc580aba44790825e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hCmUx29Oy0.bat

Filesize
159B

MD5
12664c1a1a7937b119fcaaef4acb575a

SHA1
571a5798ddcb1d2cf79d7911c991bc8c312453db

SHA256
66b170ac71d14d7a6567daee8aeba41b76bb01cdeaef6c0a04691735cf2ce9b1

SHA512
2a30bb8c5db40ffaaf3dc2b36f5410778e25084e695ee1c722f292a90bac4bb4dd03d68770b94c1eb6f3376d69dc7a24390deb57c7c84690c824422db484fc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat

Filesize
207B

MD5
0c69d1ceca7b43bfae93e6585df6b999

SHA1
867f5a276c15265b889cd485b695a9ab31f5d1d3

SHA256
851387bd36f2f1bec100e7e2373b117a2cc6e2ad20d576ef2169a94243c3fa50

SHA512
fcb166194e8e156279a5ea06dad7b663749d477cbf2b604c78fb005c52244c1ced7ca9eaf8d9b258ed76803d7eb88affc91b5735f5753f721aba9ddb5fbde616

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfRlwY95Mq.bat

Filesize
207B

MD5
5b1c2802a602cdbef84e4029734adac6

SHA1
b46cd51c39e2a7d9ad3dd94c7d18fc87f4f1e799

SHA256
ad09664b90aa82e83bf2864a6d6a5eaddafa4ea8340aac5081e7caf7239c12b0

SHA512
225009b86c4864385f4a52e3c14373bb188911de22a43bf0655f9ca970e709e9193e8d702922de39c61a4d71cc24ad2e0052a9be7dfda922cfd6b8ac6d518b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\szcAPjpm25.bat

Filesize
159B

MD5
7bbde1014bcf45fbd3c9abd2d8d63d5b

SHA1
35fb6ed2035e8e8a93fa8d75db64584a23304e3a

SHA256
c2408079a2b59e3da6f6e6d786d7ed4f6c62d68383cc3c53f3d226a0fe98e3f3

SHA512
7cadcc3bc7775fefdbeea893a392cece2b785a587e23117d5f7074ae8f9b771d236d6b7aab7546bfdf1a1c2a3220950687683226684e67eb031b15a4d63aaff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
159B

MD5
59748baa7054852f803b6f7084918762

SHA1
ec7d7e53adc309d63bea78b82e9cfd519c1154c7

SHA256
4fbff0e33b40fdf6a58605f3bd462d49563796d6354cdafb488023d19d41bfc9

SHA512
1b8b73635428c63fd103462ca7ea7d1c7f4b31494b526cf1065438e2577db32708f50f5dcfe9899ff4aebbe73e3f3b1e871b809d1635e7cab898fea7208fed6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat

Filesize
207B

MD5
98312b7e72afba14ecbfb21b13cae197

SHA1
d0a01a38f28e7be5196f69633f2d1496582575e7

SHA256
312093be8565095850d206e12c7041ced242252b355bdd38adcffc1074fd63e6

SHA512
00ae87a3aa7b7726d0c240c61946d2466c9fb10f876158f649a7f2b1d91d35f08588870cd41d116e676d18fc2e6f823fc8c4328dbaeac378b815968e21e0d470

Download Submit
memory/1984-23-0x00007FFE76010000-0x00007FFE76AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-29-0x00007FFE76010000-0x00007FFE76AD1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-19-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/5036-12-0x00007FFE767C0000-0x00007FFE77281000-memory.dmp

Filesize
10.8MB

Download
memory/5036-1-0x0000000000300000-0x0000000000380000-memory.dmp

Filesize
512KB

Download
memory/5036-0-0x00007FFE767C3000-0x00007FFE767C5000-memory.dmp

Filesize
8KB

Download