dcrat | dbb551975191618313abbb0e81e5b011de0b7fa3e2a71a461bd0d195fa95c99b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad4f38154a9eba7ae3502976fce132e4.exe
Size

2.6MB
MD5

ad4f38154a9eba7ae3502976fce132e4
SHA1

2727a173b987caf107b987c78cd0f4222c573c23
SHA256

dbb551975191618313abbb0e81e5b011de0b7fa3e2a71a461bd0d195fa95c99b
SHA512

67d150d404d29361dc71e1d22e647f317c393996cfd084126c4f462f444f9a1c43bfad88b6b6e84f0d886e330fae26fb00bda9c9af1fefffe7c63059e4b5b399
SSDEEP

49152:/cXLxQvRkzreiqnHo052wLX6q8Zcqhezo73eY3R+CXS:/clQGzaieo052wLXd8Zcq0WeYB+C

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ad4f38154a9eba7ae3502976fce132e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 14 IoCs

pid	Process
1196	SearchApp.exe
620	SearchApp.exe
1396	SearchApp.exe
4512	SearchApp.exe
1936	SearchApp.exe
4504	SearchApp.exe
5056	SearchApp.exe
216	SearchApp.exe
3084	SearchApp.exe
1900	SearchApp.exe
1088	SearchApp.exe
4304	SearchApp.exe
2444	SearchApp.exe
2140	SearchApp.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Java\6203df4a6bafc7	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\38384e6a620884	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files\Windows Mail\services.exe	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Program Files\Java\lsass.exe	ad4f38154a9eba7ae3502976fce132e4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\6ccacd8608530f	ad4f38154a9eba7ae3502976fce132e4.exe
File created	C:\Windows\Microsoft.NET\Framework\Idle.exe	ad4f38154a9eba7ae3502976fce132e4.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\Idle.exe	ad4f38154a9eba7ae3502976fce132e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1880	PING.EXE
316	PING.EXE
1052	PING.EXE
3660	PING.EXE
920	PING.EXE
3148	PING.EXE
2540	PING.EXE
5060	PING.EXE
2652	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	ad4f38154a9eba7ae3502976fce132e4.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SearchApp.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
920	PING.EXE
5060	PING.EXE
3660	PING.EXE
2652	PING.EXE
1880	PING.EXE
3148	PING.EXE
316	PING.EXE
1052	PING.EXE
2540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe
816	ad4f38154a9eba7ae3502976fce132e4.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	ad4f38154a9eba7ae3502976fce132e4.exe
Token: SeDebugPrivilege	1196	SearchApp.exe
Token: SeDebugPrivilege	620	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	4512	SearchApp.exe
Token: SeDebugPrivilege	1936	SearchApp.exe
Token: SeDebugPrivilege	4504	SearchApp.exe
Token: SeDebugPrivilege	5056	SearchApp.exe
Token: SeDebugPrivilege	216	SearchApp.exe
Token: SeDebugPrivilege	3084	SearchApp.exe
Token: SeDebugPrivilege	1900	SearchApp.exe
Token: SeDebugPrivilege	1088	SearchApp.exe
Token: SeDebugPrivilege	4304	SearchApp.exe
Token: SeDebugPrivilege	2444	SearchApp.exe
Token: SeDebugPrivilege	2140	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4672	816	ad4f38154a9eba7ae3502976fce132e4.exe	82
PID 816 wrote to memory of 4672	816	ad4f38154a9eba7ae3502976fce132e4.exe	82
PID 4672 wrote to memory of 1880	4672	cmd.exe	84
PID 4672 wrote to memory of 1880	4672	cmd.exe	84
PID 4672 wrote to memory of 1924	4672	cmd.exe	85
PID 4672 wrote to memory of 1924	4672	cmd.exe	85
PID 4672 wrote to memory of 1196	4672	cmd.exe	86
PID 4672 wrote to memory of 1196	4672	cmd.exe	86
PID 1196 wrote to memory of 1296	1196	SearchApp.exe	88
PID 1196 wrote to memory of 1296	1196	SearchApp.exe	88
PID 1296 wrote to memory of 3032	1296	cmd.exe	90
PID 1296 wrote to memory of 3032	1296	cmd.exe	90
PID 1296 wrote to memory of 2676	1296	cmd.exe	91
PID 1296 wrote to memory of 2676	1296	cmd.exe	91
PID 1296 wrote to memory of 620	1296	cmd.exe	96
PID 1296 wrote to memory of 620	1296	cmd.exe	96
PID 620 wrote to memory of 3624	620	SearchApp.exe	99
PID 620 wrote to memory of 3624	620	SearchApp.exe	99
PID 3624 wrote to memory of 3064	3624	cmd.exe	101
PID 3624 wrote to memory of 3064	3624	cmd.exe	101
PID 3624 wrote to memory of 2652	3624	cmd.exe	102
PID 3624 wrote to memory of 2652	3624	cmd.exe	102
PID 3624 wrote to memory of 1396	3624	cmd.exe	103
PID 3624 wrote to memory of 1396	3624	cmd.exe	103
PID 1396 wrote to memory of 3124	1396	SearchApp.exe	105
PID 1396 wrote to memory of 3124	1396	SearchApp.exe	105
PID 3124 wrote to memory of 4256	3124	cmd.exe	107
PID 3124 wrote to memory of 4256	3124	cmd.exe	107
PID 3124 wrote to memory of 920	3124	cmd.exe	108
PID 3124 wrote to memory of 920	3124	cmd.exe	108
PID 3124 wrote to memory of 4512	3124	cmd.exe	110
PID 3124 wrote to memory of 4512	3124	cmd.exe	110
PID 4512 wrote to memory of 3524	4512	SearchApp.exe	111
PID 4512 wrote to memory of 3524	4512	SearchApp.exe	111
PID 3524 wrote to memory of 1400	3524	cmd.exe	113
PID 3524 wrote to memory of 1400	3524	cmd.exe	113
PID 3524 wrote to memory of 1880	3524	cmd.exe	114
PID 3524 wrote to memory of 1880	3524	cmd.exe	114
PID 3524 wrote to memory of 1936	3524	cmd.exe	115
PID 3524 wrote to memory of 1936	3524	cmd.exe	115
PID 1936 wrote to memory of 4124	1936	SearchApp.exe	116
PID 1936 wrote to memory of 4124	1936	SearchApp.exe	116
PID 4124 wrote to memory of 3944	4124	cmd.exe	118
PID 4124 wrote to memory of 3944	4124	cmd.exe	118
PID 4124 wrote to memory of 3148	4124	cmd.exe	119
PID 4124 wrote to memory of 3148	4124	cmd.exe	119
PID 4124 wrote to memory of 4504	4124	cmd.exe	120
PID 4124 wrote to memory of 4504	4124	cmd.exe	120
PID 4504 wrote to memory of 732	4504	SearchApp.exe	121
PID 4504 wrote to memory of 732	4504	SearchApp.exe	121
PID 732 wrote to memory of 1556	732	cmd.exe	123
PID 732 wrote to memory of 1556	732	cmd.exe	123
PID 732 wrote to memory of 316	732	cmd.exe	124
PID 732 wrote to memory of 316	732	cmd.exe	124
PID 732 wrote to memory of 5056	732	cmd.exe	125
PID 732 wrote to memory of 5056	732	cmd.exe	125
PID 5056 wrote to memory of 4716	5056	SearchApp.exe	126
PID 5056 wrote to memory of 4716	5056	SearchApp.exe	126
PID 4716 wrote to memory of 1240	4716	cmd.exe	128
PID 4716 wrote to memory of 1240	4716	cmd.exe	128
PID 4716 wrote to memory of 1052	4716	cmd.exe	129
PID 4716 wrote to memory of 1052	4716	cmd.exe	129
PID 4716 wrote to memory of 216	4716	cmd.exe	130
PID 4716 wrote to memory of 216	4716	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\ad4f38154a9eba7ae3502976fce132e4.exe
"C:\Users\Admin\AppData\Local\Temp\ad4f38154a9eba7ae3502976fce132e4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P4w2hXpgqz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
    "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3032
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2676
    - - C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MMpJJGXiaL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DvvzTrhuYJ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:920
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nQ6S61kszs.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1880
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WuqrHCDFSV.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3148
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:316
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AntDRUzUoe.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\emIYhhnueR.bat"
        18⤵
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2752
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aORfBZ5ejs.bat"
        20⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3604
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat"
        22⤵
        
        PID:4696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aORfBZ5ejs.bat"
        24⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:620
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat"
        26⤵
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3NuRVv1Ng8.bat"
        28⤵
        
        PID:4256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4bkZ0g0Er3.bat"
        30⤵
        
        PID:788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\services.exe

Filesize
2.6MB

MD5
ad4f38154a9eba7ae3502976fce132e4

SHA1
2727a173b987caf107b987c78cd0f4222c573c23

SHA256
dbb551975191618313abbb0e81e5b011de0b7fa3e2a71a461bd0d195fa95c99b

SHA512
67d150d404d29361dc71e1d22e647f317c393996cfd084126c4f462f444f9a1c43bfad88b6b6e84f0d886e330fae26fb00bda9c9af1fefffe7c63059e4b5b399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3c93e1d75c4f1682ef0f33b9c0759623

SHA1
b725fdf914847d4896aec8e97d7535bed90ed02a

SHA256
6905fbb07def20c266499860d66336405ee8a44de59fc7da1ef879ab4bc08b93

SHA512
31bbda359f7184f2b45fe4775b4c9b58a1720183964006557292fff8412d179379893816dc760a2b433bdbbb23c9fadaf9975a821734a891db7cbc34b410b5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3NuRVv1Ng8.bat

Filesize
237B

MD5
4365e545e729c76f2920564dba4a25cd

SHA1
d8484fb003f6794a08e3bc54331b47ab378e3746

SHA256
6f3e5a8790571615619f0da445ba05a0f46bd36913abfc8737870a9dabf76aaa

SHA512
58e8b3a345bb6bc240f52362857a0458b81e5fde57366d6dd4fb6f27ab3c74e037de6e73103a7fdcd6f23804357c06a0bcb826b39a868758cba6a358dd1f438a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bkZ0g0Er3.bat

Filesize
189B

MD5
d13fbab06b491bd64d7ca9d80431cc2b

SHA1
c1350aea70d5d2f13421484f2ec6610275e0bfd9

SHA256
a9f3003a9db6e83a88bbf7dddfb244ee7ecb2f1f77413e4b1899990ee6a14f38

SHA512
e704b9b16fe9eda71bf2d80d097ae3f4597d86a49298a65c5495164406c103b480597fa4b606f2cdf5cdef3d995a0ffac50987a7a1879c2863282050ac4c829f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntDRUzUoe.bat

Filesize
189B

MD5
ca3c19d497d0970bbd418f0f8727a78c

SHA1
7ebd2bcaef6f51904ddcd31b7c347c58bf5ea3ce

SHA256
f26590e26474fe4d41f6a6c0e347e5f166b589b8356c051da856f95b1d056b25

SHA512
88f728e66c2ed99e22fa6e55d0b35635bd906b4694320d10c1dad1d3ea6c77bf0bfe23cfc5497694873c727af2ead2a554ff95697ef6cf70e7bfc3d87ea9337f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DvvzTrhuYJ.bat

Filesize
189B

MD5
1f294fb7ff21ebe094f80dc0d8afd45c

SHA1
3bedbccb603b95ce347b40b439bea5f59179133d

SHA256
2c1e5c5a136a943b6edafb115bcac10a71109598a2a684e11fa954959471e068

SHA512
4a6c434e44aaf6bd4663df1e2f972632c9c4d0e5eddb58f8c96946bf611414a295fe3b4d843c883f47555b5ee56159734ba8faf6d5e45ae0fdd9908f45bfa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMpJJGXiaL.bat

Filesize
189B

MD5
57b659d97118e076923befc98ae207f3

SHA1
7b3624edd00630d978bafdf2ac8d20b9683a7c29

SHA256
52188b4c58ffacf81e3d703281a57fc045249c81e8fc4d32c53665f983ba940c

SHA512
39bd5c7e8ed8be6f2e142ca14f615bd2559c59bb8cab3d253570392376f1128b183d8682ec3b5b8e642e7a40abe3ecc74b79e2b8c5e977f0fcd1c860b9473f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\P4w2hXpgqz.bat

Filesize
237B

MD5
d68a4f1bc3de33e6e9bbb035ec8cc4b5

SHA1
122f0f210ae2c5bb3256fcf48e1b274ea3c48af5

SHA256
fc5a13d6c8bce90ee9000f4dfb9ad74142959fc8fdd4ceff701659e02fa09e4e

SHA512
0c0e0684a6dc767dfe4e160071ebcc8070cc094849138cc5cf70048bc193ecb801aa27903bb9ccd07b2930ef192e62b40e503eced4c9320da42ebc129aa29303

Download Submit
C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat

Filesize
189B

MD5
15398ccda66e675cacb869643b58bd11

SHA1
9a90e5e059a5f0be00a6c794fa6bc53cad388f23

SHA256
203d3db591e64c2c80a72ab7bd1915ae092e3cd79f9f9577f04ef110c2303b63

SHA512
865dcebafecbbff61ed3c330e94c73d13855edd9076f953fcdbf90ba5dc28bd0de2b9b5896e921803d8a111e398a6c6c69902a09f0c5a9df357a023666ab86b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuqrHCDFSV.bat

Filesize
189B

MD5
33222017e0a6be51b753b21b01968a34

SHA1
b950b5948c8c59038e36ff9eb3f3311924dcee91

SHA256
70531b1fa0fb581d8c3c37a6315207eaa0db2852a23ccfae45ac19de95c0671d

SHA512
a810f98e0d29bf11cff135f9dd42bef86c3394ec1a320e9d8b85bd64dc29265b7a2b84b0904a9b997501516f6e6012581913f598c75b2932d9300a98062f8442

Download Submit
C:\Users\Admin\AppData\Local\Temp\aORfBZ5ejs.bat

Filesize
237B

MD5
434117d430fa527618bcde32647eb08b

SHA1
59f825750fc7dd868310d9c607a79422dd616522

SHA256
acc36d1c005b093e89d45e0e50af4c62b772a2edce01f8a887b2d3da6cba9de9

SHA512
8b54157dee377d0d78f60d6b039919911a43362f25edb5a6d17eba3d30b134b233a19bfc0cc0298a7ac3590e4c1bd301b75ad1c65fd90177c8e3731be3b35dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\emIYhhnueR.bat

Filesize
237B

MD5
779bea51104dacb314c08e0aeffac3e5

SHA1
da4fd3d580539826d0537de48c25b1cc4e409c2c

SHA256
3b210816d3283a811a441d092224519b3466196a6c0e2693ec202eec9dbedfc5

SHA512
333f1ccb7758c9869136da29e231682936d498bf96dc0ec81abbe72b1b334dd75757c1aae9c89f9a9a0414bad6d1e3d5d2712c6e8b135903a12d7863de824edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQ6S61kszs.bat

Filesize
189B

MD5
eb02cc8cf3d6b1184b057a9701154843

SHA1
5f0b97c1aa589fbd52d6e512a23ae86a11abcc84

SHA256
88315726719ea8ce3c58d4fb8ab2e9192859427dc51ce45d7bf1935c0d873f7d

SHA512
9fc3bd57fff5a8a63309058f97256d67f6933ed2e2cffa481e10a3378c2bfaea7fb1cf6c86c303b9a468ec02ab8880b628434e103abf8e05c2c92f23f45d746b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uHdcbfRrII.bat

Filesize
189B

MD5
a36e04dd2f79ba7f0986a88338780eb9

SHA1
844784d28e794489c4b50b2ce6d8e393a06f6798

SHA256
0d598c187c6741e951a9288dbfed1da1a20eacd0e3fb7b9caadddef3f13e3835

SHA512
8818108ff5a338d911b7c8ea54596fdf8aed519e692b655f3c05af2e16c52f7dad9e08517fae02b9193f8419171be993ae59defaa08e6e3fffbcc44205b355cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat

Filesize
237B

MD5
3e046d691c44d436f7e630935f078412

SHA1
597446aadb9bc0bcf26505577ffcd5233cdde726

SHA256
a580476392b1d666e2b977ef59aa6fb1d87f0d3a42455985849b456cc5c5c627

SHA512
b987c702e174cfc00b00f3b363e79f963b174b04eb936719953ea765344188e4f58e2379a0afb2e172fa303a4b96c3a6f13cfb0dfb799ae7b560e7cf2f933a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat

Filesize
189B

MD5
90d18d2109468e3c8a0577432270bacc

SHA1
642fdb001d8d62bba39c01b86248d8fff79d2b4d

SHA256
9f84855e58b2bf5676dbce877b5d73f2d0477bbfc8ea40646ac9409123119115

SHA512
cfb88d1830934e3996795311e1b0cb59b7d8304b76863e1259e8c890b0014347b41cba427c4d822135939b533151a70dd512cbb299e19f63a7dd638a06f288ba

Download Submit
memory/216-212-0x000000001BB80000-0x000000001BBEB000-memory.dmp

Filesize
428KB

Download
memory/620-98-0x000000001BED0000-0x000000001BF3B000-memory.dmp

Filesize
428KB

Download
memory/816-21-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/816-13-0x0000000002E10000-0x0000000002E28000-memory.dmp

Filesize
96KB

Download
memory/816-31-0x000000001BA30000-0x000000001BA48000-memory.dmp

Filesize
96KB

Download
memory/816-32-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-29-0x0000000002E40000-0x0000000002E4E000-memory.dmp

Filesize
56KB

Download
memory/816-34-0x0000000002E50000-0x0000000002E5C000-memory.dmp

Filesize
48KB

Download
memory/816-36-0x000000001CF90000-0x000000001CFDE000-memory.dmp

Filesize
312KB

Download
memory/816-37-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-41-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-26-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/816-55-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-56-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-24-0x000000001D4C0000-0x000000001D9E8000-memory.dmp

Filesize
5.2MB

Download
memory/816-1-0x0000000000A20000-0x0000000000CBC000-memory.dmp

Filesize
2.6MB

Download
memory/816-23-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

Filesize
72KB

Download
memory/816-17-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/816-19-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

Filesize
72KB

Download
memory/816-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-16-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-3-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-27-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-4-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-15-0x0000000001520000-0x000000000152E000-memory.dmp

Filesize
56KB

Download
memory/816-6-0x0000000001510000-0x000000000151E000-memory.dmp

Filesize
56KB

Download
memory/816-11-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-7-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-10-0x0000000002E60000-0x0000000002EB0000-memory.dmp

Filesize
320KB

Download
memory/816-9-0x0000000002DF0000-0x0000000002E0C000-memory.dmp

Filesize
112KB

Download
memory/1088-269-0x000000001B950000-0x000000001B9BB000-memory.dmp

Filesize
428KB

Download
memory/1196-78-0x000000001C9D0000-0x000000001CA3B000-memory.dmp

Filesize
428KB

Download
memory/1396-117-0x000000001C310000-0x000000001C37B000-memory.dmp

Filesize
428KB

Download
memory/1900-250-0x000000001C120000-0x000000001C18B000-memory.dmp

Filesize
428KB

Download
memory/1936-155-0x000000001B7C0000-0x000000001B82B000-memory.dmp

Filesize
428KB

Download
memory/2140-326-0x000000001BD10000-0x000000001BD7B000-memory.dmp

Filesize
428KB

Download
memory/2444-307-0x000000001C5C0000-0x000000001C62B000-memory.dmp

Filesize
428KB

Download
memory/3084-231-0x000000001BBF0000-0x000000001BC5B000-memory.dmp

Filesize
428KB

Download
memory/4304-288-0x000000001B6E0000-0x000000001B74B000-memory.dmp

Filesize
428KB

Download
memory/4504-174-0x000000001C460000-0x000000001C4CB000-memory.dmp

Filesize
428KB

Download
memory/4512-136-0x000000001C4A0000-0x000000001C50B000-memory.dmp

Filesize
428KB

Download
memory/5056-193-0x000000001C4C0000-0x000000001C52B000-memory.dmp

Filesize
428KB

Download