dcrat | 8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe
Size

1.9MB
MD5

f24017a8f60d8f15740eac793b68e9d3
SHA1

8241aa56b3603062c021013c8f651f3c7313fbf5
SHA256

8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c
SHA512

6f0e931f95ec19f97476a5b3611fb6b9e944a19ecc5f2b430ef0eef85d82dba1e267240e0d4c9377714a9c1714bb8f44a00b1a05cbe5ad715711f4953c522b84
SSDEEP

24576:2TbBv5rUyXVZ9VJsITebBhxEcIbJJYQ4FBC80blgtaG6iTTEoL/hTfaXyYcZzqlC:IBJZ93T3dYQ47Mlg8e3EoL5iXyYcGBUp

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	webRuntimeperfMonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
2708	webRuntimeperfMonitor.exe
5272	unsecapp.exe
6056	unsecapp.exe
1880	unsecapp.exe
6024	unsecapp.exe
3976	unsecapp.exe
5096	unsecapp.exe
4908	unsecapp.exe
4776	unsecapp.exe
5428	unsecapp.exe
1088	unsecapp.exe
912	unsecapp.exe
5660	unsecapp.exe
4552	unsecapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6056	PING.EXE
3440	PING.EXE
5992	PING.EXE
5180	PING.EXE
2564	PING.EXE
2324	PING.EXE
3436	PING.EXE
692	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	webRuntimeperfMonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	unsecapp.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
692	PING.EXE
6056	PING.EXE
3440	PING.EXE
5992	PING.EXE
5180	PING.EXE
2564	PING.EXE
2324	PING.EXE
3436	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe
2708	webRuntimeperfMonitor.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	webRuntimeperfMonitor.exe
Token: SeDebugPrivilege	5272	unsecapp.exe
Token: SeDebugPrivilege	6056	unsecapp.exe
Token: SeDebugPrivilege	1880	unsecapp.exe
Token: SeDebugPrivilege	6024	unsecapp.exe
Token: SeDebugPrivilege	3976	unsecapp.exe
Token: SeDebugPrivilege	5096	unsecapp.exe
Token: SeDebugPrivilege	4908	unsecapp.exe
Token: SeDebugPrivilege	4776	unsecapp.exe
Token: SeDebugPrivilege	5428	unsecapp.exe
Token: SeDebugPrivilege	1088	unsecapp.exe
Token: SeDebugPrivilege	912	unsecapp.exe
Token: SeDebugPrivilege	5660	unsecapp.exe
Token: SeDebugPrivilege	4552	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5356 wrote to memory of 2736	5356	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe	88
PID 5356 wrote to memory of 2736	5356	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe	88
PID 5356 wrote to memory of 2736	5356	Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe	88
PID 2736 wrote to memory of 5772	2736	WScript.exe	98
PID 2736 wrote to memory of 5772	2736	WScript.exe	98
PID 2736 wrote to memory of 5772	2736	WScript.exe	98
PID 5772 wrote to memory of 2708	5772	cmd.exe	100
PID 5772 wrote to memory of 2708	5772	cmd.exe	100
PID 2708 wrote to memory of 5216	2708	webRuntimeperfMonitor.exe	101
PID 2708 wrote to memory of 5216	2708	webRuntimeperfMonitor.exe	101
PID 5216 wrote to memory of 1232	5216	cmd.exe	103
PID 5216 wrote to memory of 1232	5216	cmd.exe	103
PID 5216 wrote to memory of 620	5216	cmd.exe	104
PID 5216 wrote to memory of 620	5216	cmd.exe	104
PID 5216 wrote to memory of 5272	5216	cmd.exe	105
PID 5216 wrote to memory of 5272	5216	cmd.exe	105
PID 5272 wrote to memory of 5024	5272	unsecapp.exe	107
PID 5272 wrote to memory of 5024	5272	unsecapp.exe	107
PID 5024 wrote to memory of 380	5024	cmd.exe	109
PID 5024 wrote to memory of 380	5024	cmd.exe	109
PID 5024 wrote to memory of 5596	5024	cmd.exe	110
PID 5024 wrote to memory of 5596	5024	cmd.exe	110
PID 5024 wrote to memory of 6056	5024	cmd.exe	112
PID 5024 wrote to memory of 6056	5024	cmd.exe	112
PID 6056 wrote to memory of 1908	6056	unsecapp.exe	115
PID 6056 wrote to memory of 1908	6056	unsecapp.exe	115
PID 1908 wrote to memory of 2184	1908	cmd.exe	117
PID 1908 wrote to memory of 2184	1908	cmd.exe	117
PID 1908 wrote to memory of 5992	1908	cmd.exe	118
PID 1908 wrote to memory of 5992	1908	cmd.exe	118
PID 1908 wrote to memory of 1880	1908	cmd.exe	120
PID 1908 wrote to memory of 1880	1908	cmd.exe	120
PID 1880 wrote to memory of 2152	1880	unsecapp.exe	121
PID 1880 wrote to memory of 2152	1880	unsecapp.exe	121
PID 2152 wrote to memory of 1072	2152	cmd.exe	123
PID 2152 wrote to memory of 1072	2152	cmd.exe	123
PID 2152 wrote to memory of 5180	2152	cmd.exe	124
PID 2152 wrote to memory of 5180	2152	cmd.exe	124
PID 2152 wrote to memory of 6024	2152	cmd.exe	128
PID 2152 wrote to memory of 6024	2152	cmd.exe	128
PID 6024 wrote to memory of 5776	6024	unsecapp.exe	129
PID 6024 wrote to memory of 5776	6024	unsecapp.exe	129
PID 5776 wrote to memory of 2508	5776	cmd.exe	131
PID 5776 wrote to memory of 2508	5776	cmd.exe	131
PID 5776 wrote to memory of 2564	5776	cmd.exe	132
PID 5776 wrote to memory of 2564	5776	cmd.exe	132
PID 5776 wrote to memory of 3976	5776	cmd.exe	133
PID 5776 wrote to memory of 3976	5776	cmd.exe	133
PID 3976 wrote to memory of 4476	3976	unsecapp.exe	134
PID 3976 wrote to memory of 4476	3976	unsecapp.exe	134
PID 4476 wrote to memory of 1020	4476	cmd.exe	136
PID 4476 wrote to memory of 1020	4476	cmd.exe	136
PID 4476 wrote to memory of 2324	4476	cmd.exe	137
PID 4476 wrote to memory of 2324	4476	cmd.exe	137
PID 4476 wrote to memory of 5096	4476	cmd.exe	139
PID 4476 wrote to memory of 5096	4476	cmd.exe	139
PID 5096 wrote to memory of 5832	5096	unsecapp.exe	140
PID 5096 wrote to memory of 5832	5096	unsecapp.exe	140
PID 5832 wrote to memory of 4892	5832	cmd.exe	142
PID 5832 wrote to memory of 4892	5832	cmd.exe	142
PID 5832 wrote to memory of 2988	5832	cmd.exe	143
PID 5832 wrote to memory of 2988	5832	cmd.exe	143
PID 5832 wrote to memory of 4908	5832	cmd.exe	144
PID 5832 wrote to memory of 4908	5832	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe
"C:\Users\Admin\AppData\Local\Temp\Sigmanly_8886bfab86b273c2ad8a1e72f120b845dd6324d97b0a3c8d628cb61514d7f03c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Componentreviewintohost\VIM0EENHmiAdXvtJ4wnFbE3sx7CnEy1Av3dnkYZt9c.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Componentreviewintohost\cOVgo0XkumV4Szk4FLI.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5772
  - - C:\Componentreviewintohost\webRuntimeperfMonitor.exe
      "C:\Componentreviewintohost/webRuntimeperfMonitor.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mj5tVqqaMY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5216
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1232
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:620
      - C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5596
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zd3m5m79sA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5992
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5180
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2988
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"
        19⤵
        
        PID:5676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3648
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat"
        21⤵
        
        PID:1700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3436
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat"
        23⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5164
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat"
        25⤵
        
        PID:3696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:692
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G9JNvaemPW.bat"
        27⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6056
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"
        29⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3440
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uhjF8j8k7U.bat"
        31⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Componentreviewintohost\VIM0EENHmiAdXvtJ4wnFbE3sx7CnEy1Av3dnkYZt9c.vbe

Filesize
221B

MD5
d9f61083a741f1d368ccc23191406cbe

SHA1
4e25311d04a809fd57b39e1af2f89f983284dd49

SHA256
836c73fca578692739cd7af87b6f23d361aca231724741d122d94c94b5b7fb91

SHA512
8285e69fd3a6be416355d28ea72fe93bacbd919cac90ec46d5c426bea05466937ce33257a7761d056d0eb6ee54d70a1d24d5a3c607c6d00191a30c87a743d1ae

Download Submit
C:\Componentreviewintohost\cOVgo0XkumV4Szk4FLI.bat

Filesize
93B

MD5
d0c2c48b402d5d2372db1fe0329e22c9

SHA1
dcd117c21651dfde8608842e8cce9e6b51d536e4

SHA256
79d03082ea9763665da3f14ab732b476145c0aef1657de13d7431858bddd6060

SHA512
2f3d496ee2c8d26a32e20d2f5640074bb5f6218f71a40b8921fb81ef62c899e0054555ab2c60f207fa0952d56a83d4ba644715dd796d576c48969c17cb4c85a4

Download Submit
C:\Componentreviewintohost\webRuntimeperfMonitor.exe

Filesize
1.6MB

MD5
071f71d5595bd193803f29fae4805e1d

SHA1
efb866db338638382b52dfd26aec6aa93658d271

SHA256
324532aa15b68b5b8ddf6449294a8b926eefa6652088b6a97bd2906b4415ef81

SHA512
4616fd5458b905bc66f966b474b50b5d396ab11dd6ded5f26426b19c47ac4437ae2d4a251120b13ce5b0d66e89aedb4f88845add060c2ee45cc517d82c64269e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuUFRpewDb.bat

Filesize
162B

MD5
41cf02d65aae964d18f7c91c02e8451d

SHA1
34e2ac9c43ce46fb5cf790f7920e5b031e883cc3

SHA256
f68e531546a8f500dba90d74ed7bd296f6eef2038d3d5c94c8bc992f537ecf4d

SHA512
b3cbd194abb9aa79aa1b7c86d49d9b09adec3e0a9d6ad0708ec0bcf9365fa693e8570a2942433de83407cf4526a052cc26ca1e2d04a408587d7064288037f7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\G9JNvaemPW.bat

Filesize
162B

MD5
5001262698438d0b6d4e8316ae331277

SHA1
74b1fecfba72a0d18cf08eb3865a04fa3ca58d95

SHA256
0df24dfd8990646f4f28e1f449914e1e22e4c3ad54ff2fc72c63aab887ca76d1

SHA512
9ab66bc3d58924ad4be93681c81de7c5550faf37976c2bef953f7882e38f94e61d72139c9fe57be6f8a549ea2c85349be2040225b610b6ec2389cdc356d8fad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat

Filesize
162B

MD5
2509b9516254ca1a4594f88592c66189

SHA1
ef5f57f5dd964bfa2bc86ce992234d8f016e03ea

SHA256
84d5c005105f37ecf3b85aa50cd9764253786e1cc437174c660b9b027cf81de5

SHA512
3a112fe4681c5eaf7065b34c644fe8ed7af799f17a4fdd9af80175e70d54c229f77a0287ff234c6d644644ec7fc6d647eb44cd657a09801cbf7244ec8cacf809

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat

Filesize
162B

MD5
6bcd982bb6c0780ccfbdcb65a2c22dd8

SHA1
bb58751ebf070b7389e22114053e391061ba3d48

SHA256
00b225bf1bd032c2a01963be2e551b05a6c000dca8c0be3f872f2bb7d7d20846

SHA512
3be52afd9d489cc39f5d092346cc0849555c0ce7668f80a6635234ffd0c0f74c7d88f29612d4e121c5eb076d61520fdf50a9c6c29516cf0a92cf1a81af562892

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat

Filesize
162B

MD5
755378db9c7de038bf793535aa233976

SHA1
57b37663d23b191f6be7733b140bd46c001fff54

SHA256
f92113d4b7ec82afe2b52cb22c7626543fb9fd677adc2c3c235ad7fe992e5aec

SHA512
8f642a8b549b274ab1a773e48d26b00547dc3a09c28f3e6cf39d817e995df1c4f928135ca4164bdb1cec564e4f4c49d86d7911984d896b54af47a796fcf45645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat

Filesize
210B

MD5
4e3f193a48dab81d2b0d25b0eb0620a3

SHA1
d3ce3222300fb976f55bfbe009dce619fe25818f

SHA256
d69fb4c97ef2c092ccac5cc1bfbcb1f441c18ec5cedc1e554f5720b5c61c6f78

SHA512
01a5ae327fa71e3cb1ca569fa14a237c890e47bcd53ee83f14c52b7672d243efda0160af91be3f7a496792abc7ffd9ac69a1a1087480d59018f9bb7778b7252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat

Filesize
162B

MD5
3a7ab0de7ed07e33bc32f7301220bdfb

SHA1
063b04cfa0b55053451f4ab0f501aa5900d8a3b7

SHA256
6366adb5da20b7f97798ff2668649f0efa0ec70291d455e40149d5483f2ee62d

SHA512
77b0e732fa978156088111863e96c13d53ba833d069f9c9f83470f41079324c7638a458781cbcbd290e984d196e56ae9e1e1cf18db1b75db8295716c40b5107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mj5tVqqaMY.bat

Filesize
210B

MD5
d4c38325aad208a208af70e7008b1255

SHA1
668c1e190c9e0c5675ade8c1fc74001270f2f541

SHA256
ec3e4d50e0b4dccc7c54eb75fde5d8f98e0c7f09183e21b1152e72b52351eef6

SHA512
2730069a70d5fe31da0923296c9499cd38b6b40b4532718f21840eacc02a7ccc167edc7639f5da5ee23570bf84e7bbcd7ac6c7a9263e739203c7df0fb4723ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat

Filesize
210B

MD5
84816ab585e86380ec4c66c4593ef227

SHA1
323b7e97f0dffe07149ee3d37a679b06aeeadd1b

SHA256
97ef4d089a457cd468d1550635994a8e997dfa7ced1282af137f6eff0dc63ecb

SHA512
1aae196734a7b19b24278c7ccf5a450a22f3e8fbf769c34260f567174c119a1b94092dcb98cbc3a4f9b3571f97f41065ac4f97c900b7a4e907e4304ef0d5a46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat

Filesize
162B

MD5
47a2c251004c2a9d1df4ce092301ec9d

SHA1
858a5322a8d2185a2492f99d85f22e7f9eddacad

SHA256
8186feb2b69b6f770ebfe2386a8482e06b4e97476d560bb351bd650a085d3fdb

SHA512
4b2e23cff817fa933b333d8e4f034f12099daf2f8d53a1285dc3be3968e77044480400fb1d04aebb9a0654c2addf7c7290e118667b4b0bfcca1e460c027b52ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhjF8j8k7U.bat

Filesize
210B

MD5
6b10de8a2c8ee254f0344f73c04ddd56

SHA1
5bfa289f14010747d022f3102dd61e9e4ea0edb2

SHA256
b16eabd666206c60231d6c6cd7b6730d8e773c9b0d45050ebaf56e99de6556d0

SHA512
7ee6953779767474e96f0ddc6419097f776bf4c05dea1d93841d47661b37e6f50bde511defb8ad6f48d8dc573c4317934f7f4429f7dd31b5505c8c1974566ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

Filesize
210B

MD5
bc0f62371b2042b916924a84ad455722

SHA1
406fd32c27e55d8487488f66234b0806cc1739d7

SHA256
388956e1d38a244e13b5ed681f85c29a9734055c1987c8b5c984029594615263

SHA512
7445bb1e42f2aa55334313ba9ab753228f95743a5247dba53c7019d04ee357ddf5305619033eafe5e32988af4cf9ebe763e568db7159c4e568037d866cf097dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd3m5m79sA.bat

Filesize
162B

MD5
5489258fb075c972e63a3f9e12493562

SHA1
1c93341dc4a33a0c41d94c1140af73f25d76a2f6

SHA256
cd4abb7e3cda47030f47ab8d7a8c205fb29dc8995e47bd5fff7de3dee16b07ca

SHA512
f06d7e1b8ab7a21ee9ad8c51820a751ea7eca53e11d44c0cd86dbcc1afafbef1c67599b4799bc04459c0fbac1dd56529351796045613a51c8dc3dead876d66d9

Download Submit
memory/2708-13-0x00000000000F0000-0x0000000000288000-memory.dmp

Filesize
1.6MB

Download
memory/2708-12-0x00007FFEDCC13000-0x00007FFEDCC15000-memory.dmp

Filesize
8KB

Download