dcrat | a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2

Analysis

max time kernel
116s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Size

1.5MB
MD5

9770460ff21f1c18e4ca3e0bfe3767e0
SHA1

67aaf668b810575f2dde75bac1fbb40c602c2eae
SHA256

a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2
SHA512

c8a1718efb86e3353b0a991b3c57a531769cac3a47411a0e8e07b9441bdced564a1e90664c8ac3a52c76a0415b19bd61b8f82a1a53da171216ad2bf278bf87d8
SSDEEP

49152:/AfYoKy2QirSS9NqgWw8L0M5LLjfan+2QAbv+:yobSS/qHw8oWjf1w+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

.NET Reactor proctector 22 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2660-2-0x00000000001F0000-0x0000000000660000-memory.dmp	net_reactor
behavioral1/memory/2660-13-0x00000000001F0000-0x0000000000660000-memory.dmp	net_reactor
behavioral1/memory/2728-17-0x0000000000BC0000-0x0000000001030000-memory.dmp	net_reactor
behavioral1/memory/2728-23-0x0000000000BC0000-0x0000000001030000-memory.dmp	net_reactor
behavioral1/memory/2956-25-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2956-31-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1536-33-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1536-40-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1712-41-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1712-47-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1656-49-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1656-50-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1656-56-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2864-59-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2864-60-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2864-67-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/1680-68-0x00000000023E0000-0x0000000002850000-memory.dmp	net_reactor
behavioral1/memory/2100-69-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2100-75-0x00000000013C0000-0x0000000001830000-memory.dmp	net_reactor
behavioral1/memory/2568-77-0x00000000001D0000-0x0000000000640000-memory.dmp	net_reactor
behavioral1/memory/848-84-0x0000000000330000-0x00000000007A0000-memory.dmp	net_reactor
behavioral1/memory/2524-91-0x0000000001290000-0x0000000001700000-memory.dmp	net_reactor

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1712	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1712	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1656	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2864	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2864	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2100	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2568	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2568	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
848	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
848	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2524	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2524	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1552	PING.EXE
2332	PING.EXE
2572	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2572	PING.EXE
1552	PING.EXE
2332	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	1712	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	1656	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2864	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2100	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2568	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	848	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Token: SeDebugPrivilege	2524	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1712	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
1656	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2864	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2100	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2568	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
848	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
2524	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2992	2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	29
PID 2660 wrote to memory of 2992	2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	29
PID 2660 wrote to memory of 2992	2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	29
PID 2660 wrote to memory of 2992	2660	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	29
PID 2992 wrote to memory of 2928	2992	cmd.exe	31
PID 2992 wrote to memory of 2928	2992	cmd.exe	31
PID 2992 wrote to memory of 2928	2992	cmd.exe	31
PID 2992 wrote to memory of 2928	2992	cmd.exe	31
PID 2992 wrote to memory of 2572	2992	cmd.exe	32
PID 2992 wrote to memory of 2572	2992	cmd.exe	32
PID 2992 wrote to memory of 2572	2992	cmd.exe	32
PID 2992 wrote to memory of 2572	2992	cmd.exe	32
PID 2992 wrote to memory of 2728	2992	cmd.exe	33
PID 2992 wrote to memory of 2728	2992	cmd.exe	33
PID 2992 wrote to memory of 2728	2992	cmd.exe	33
PID 2992 wrote to memory of 2728	2992	cmd.exe	33
PID 2728 wrote to memory of 2068	2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	34
PID 2728 wrote to memory of 2068	2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	34
PID 2728 wrote to memory of 2068	2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	34
PID 2728 wrote to memory of 2068	2728	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	34
PID 2068 wrote to memory of 1916	2068	cmd.exe	36
PID 2068 wrote to memory of 1916	2068	cmd.exe	36
PID 2068 wrote to memory of 1916	2068	cmd.exe	36
PID 2068 wrote to memory of 1916	2068	cmd.exe	36
PID 2068 wrote to memory of 1584	2068	cmd.exe	37
PID 2068 wrote to memory of 1584	2068	cmd.exe	37
PID 2068 wrote to memory of 1584	2068	cmd.exe	37
PID 2068 wrote to memory of 1584	2068	cmd.exe	37
PID 1584 wrote to memory of 1688	1584	w32tm.exe	38
PID 1584 wrote to memory of 1688	1584	w32tm.exe	38
PID 1584 wrote to memory of 1688	1584	w32tm.exe	38
PID 1584 wrote to memory of 1688	1584	w32tm.exe	38
PID 2068 wrote to memory of 2956	2068	cmd.exe	39
PID 2068 wrote to memory of 2956	2068	cmd.exe	39
PID 2068 wrote to memory of 2956	2068	cmd.exe	39
PID 2068 wrote to memory of 2956	2068	cmd.exe	39
PID 2956 wrote to memory of 436	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	40
PID 2956 wrote to memory of 436	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	40
PID 2956 wrote to memory of 436	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	40
PID 2956 wrote to memory of 436	2956	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	40
PID 436 wrote to memory of 2348	436	cmd.exe	42
PID 436 wrote to memory of 2348	436	cmd.exe	42
PID 436 wrote to memory of 2348	436	cmd.exe	42
PID 436 wrote to memory of 2348	436	cmd.exe	42
PID 436 wrote to memory of 1148	436	cmd.exe	43
PID 436 wrote to memory of 1148	436	cmd.exe	43
PID 436 wrote to memory of 1148	436	cmd.exe	43
PID 436 wrote to memory of 1148	436	cmd.exe	43
PID 1148 wrote to memory of 1616	1148	w32tm.exe	44
PID 1148 wrote to memory of 1616	1148	w32tm.exe	44
PID 1148 wrote to memory of 1616	1148	w32tm.exe	44
PID 1148 wrote to memory of 1616	1148	w32tm.exe	44
PID 436 wrote to memory of 1536	436	cmd.exe	45
PID 436 wrote to memory of 1536	436	cmd.exe	45
PID 436 wrote to memory of 1536	436	cmd.exe	45
PID 436 wrote to memory of 1536	436	cmd.exe	45
PID 1536 wrote to memory of 2140	1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	46
PID 1536 wrote to memory of 2140	1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	46
PID 1536 wrote to memory of 2140	1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	46
PID 1536 wrote to memory of 2140	1536	a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe	46
PID 2140 wrote to memory of 2168	2140	cmd.exe	48
PID 2140 wrote to memory of 2168	2140	cmd.exe	48
PID 2140 wrote to memory of 2168	2140	cmd.exe	48
PID 2140 wrote to memory of 2168	2140	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gOKbIUOEuG.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RvL1cycbdY.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        7⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        9⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Pe1C5bdOi.bat"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        11⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aj397jMwN3.bat"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        13⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        15⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        17⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        19⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"
        21⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Pe1C5bdOi.bat

Filesize
279B

MD5
3ffc654b8b457796cac94f6edada7da4

SHA1
c6e4598a2bcec4b7e877642562afd57a44d46a0f

SHA256
6f5f9febef67fb91d8eff0f582a06d6677b0df8767880a049dac84f7c46a9aee

SHA512
42ee70cde903a484ce5c275d931cc5b437cb034b1922728505629fe84a29f82e196c697b82dcd79042dd3c2f2e9f0a95c9a2994b1061d3e56a82cdba34c3713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat

Filesize
231B

MD5
537a70ea1b2ed82f834133f1d27972f8

SHA1
1aa184ef46ca67975699bf23f3049649539f5f2f

SHA256
220b0c6df3118bba5cd39023ae9429dcb60c9dc37719470437c327c37c58c454

SHA512
b537bc22f60311eb294703cae8f8d1d8ad965e53b3f263602d6191ee97d8b2483991226bc2445d657ebf00d4e4d114dd2fb1f6d018c24e03362f6bfa851b5467

Download Submit
C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat

Filesize
231B

MD5
bdb4532e0bfc0c0821397c16b6074a71

SHA1
bbaf8a1570c33517c803db936439223477100eb8

SHA256
94daeb5d891b09e9185584b218709a9ed1d726ecea29d14e971abdecf649bfb2

SHA512
92cd608222206f5e297c08cd684865c2b95a49df95064ecd4a076f052aefe58d5148e472f91d515900ebd410073e99e0c3ead9dbfba5a0b779ac697b9ff04e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RvL1cycbdY.bat

Filesize
279B

MD5
c9e87f79eade475f44fc8e145c7681b2

SHA1
57a422a891e0f981161af0d52796e2d784f613e4

SHA256
fa13e07a96d2edf2b178ec60c9e88f7055d0c26ab75312c3b702d940b6cd41bd

SHA512
4787c11d95c7fbe054770bb80d58af305e318580be110af45447f811bbde69c24435f204bba8dbc7b696e7633e6f120a06983f856fa72fe4565a12d31b511d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
279B

MD5
797d846d04d8782fca81006115c694f9

SHA1
8db9ffe44d389172020d1073cdc7e9699c113d84

SHA256
6d8553588973a16f5bd62ec3f23d123ae7af77e289545148f31f514f4dfb3443

SHA512
8b5a37dbbeed53de6f140538b673a59896205987ab1cde68b7bda40455f25d22b64870454f75f800e726e9fedcce0111816373a91b5923767f007962bb9ce0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat

Filesize
279B

MD5
52f2e3b415249948620901973acb4c01

SHA1
8bbd5d629ac3a7a382886ea50ae579aafadefd60

SHA256
f154fab9aa8268dbf9c39f19180a95be343f74e1fbd25ab63eb4870bc6040820

SHA512
f7c15f7ff763520b662a8a4b8cff7fe49d0527585ae9863ba5cf3befc87cc2036016c80f2ef9848ac09ea287a112fb58f6133779f7f46de84cb6fc479b4730cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj397jMwN3.bat

Filesize
279B

MD5
b116f3c061fb0f6d6806a092752ca62d

SHA1
406f0f1658674eebe00ae1c55f86e4ba96cd070c

SHA256
705f5b38c014cbcaf12a78d8fd48501d6da775ff29841490934c7d6d6c9407e9

SHA512
6131ecefed07da0924cb6485be3761f7437f7e6a87920c9fcb7791b6d3bd7400b023911f22c3072552f362129746ec469a16cb2b4e8caf12e2de276efc0d180d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOKbIUOEuG.bat

Filesize
231B

MD5
46b9ed806815797d009b2e97448914c8

SHA1
3f5e039b08e56564b82710b218dbe9a6bc876171

SHA256
d7bb55fe444846a1f426450d54bfef75867bb542d4daf5207352d2b7cbbd3d3a

SHA512
f9787d17053060b932b87efa71024a173dc9af57ca6b7e095d7b7dfe81a9d4af839dba682759c65c0ed1cf57ae9ddb041a05b00fd735cc18ef2c31c7263eeda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
279B

MD5
ef00c596f5fb77b7ee446247da7c5e42

SHA1
d0d3f8380e103016081f6c43a31a52fdd20162d5

SHA256
5d36b1fb3487a3d8ed957166b7f0a83a3560047bc8f23131f1b0ca920e7ed00c

SHA512
98ef70bb684331ac284e6e530a5f87309b93444d9eda0fa24400bbc2858f354e950927e6c92398a471d63703d6eaf603455b2454b82fa3fa14458825770a662e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat

Filesize
279B

MD5
83405a454051401934514366ff1def67

SHA1
e685f262f1806d7923abb2589c2e2bf297a13c8f

SHA256
d3155751627f2256ab51071de7953e49ce90220491fe603884cc04149a471b44

SHA512
7b3ef5d1169b65bbd9f7bf021d7c09a3f28028f5ef7dc1fc7a17e906eed41b0725bd13f7ce5a2a3ecab34737819afc2cc260d9ba54bb683313e1089bab463d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat

Filesize
279B

MD5
1c23ca83537b2f0ec64c59da4a882095

SHA1
effab98ab04e364e23e7227a684718146bb221dc

SHA256
01a59b7507b88b6441c25779552af93898f7a30f72aad8e561132ac1c4785a75

SHA512
5ef72c1c1303cc37c37bd51562d9a6709032a3c9e88af6d7497073a302fb37cd839563199da05ed4f3e6984883b9dfad7bf73032744f044f5bbc8a210f3e8cc0

Download Submit
memory/848-84-0x0000000000330000-0x00000000007A0000-memory.dmp

Filesize
4.4MB

Download
memory/1536-33-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1536-40-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1656-49-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1656-50-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1656-56-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1680-68-0x00000000023E0000-0x0000000002850000-memory.dmp

Filesize
4.4MB

Download
memory/1712-41-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/1712-47-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2100-69-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2100-75-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2368-58-0x0000000002190000-0x0000000002600000-memory.dmp

Filesize
4.4MB

Download
memory/2524-91-0x0000000001290000-0x0000000001700000-memory.dmp

Filesize
4.4MB

Download
memory/2568-77-0x00000000001D0000-0x0000000000640000-memory.dmp

Filesize
4.4MB

Download
memory/2660-1-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2660-0-0x00000000001F0000-0x0000000000660000-memory.dmp

Filesize
4.4MB

Download
memory/2660-13-0x00000000001F0000-0x0000000000660000-memory.dmp

Filesize
4.4MB

Download
memory/2660-2-0x00000000001F0000-0x0000000000660000-memory.dmp

Filesize
4.4MB

Download
memory/2660-3-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-14-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-23-0x0000000000BC0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/2728-17-0x0000000000BC0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/2728-16-0x0000000000BC0000-0x0000000001030000-memory.dmp

Filesize
4.4MB

Download
memory/2864-67-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2864-65-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2864-60-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2864-59-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2956-31-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2956-25-0x00000000013C0000-0x0000000001830000-memory.dmp

Filesize
4.4MB

Download
memory/2992-15-0x0000000001FD0000-0x0000000002440000-memory.dmp

Filesize
4.4MB

Download