Analysis
-
max time kernel
116s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
Resource
win10v2004-20241007-en
General
-
Target
a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe
-
Size
1.5MB
-
MD5
9770460ff21f1c18e4ca3e0bfe3767e0
-
SHA1
67aaf668b810575f2dde75bac1fbb40c602c2eae
-
SHA256
a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2
-
SHA512
c8a1718efb86e3353b0a991b3c57a531769cac3a47411a0e8e07b9441bdced564a1e90664c8ac3a52c76a0415b19bd61b8f82a1a53da171216ad2bf278bf87d8
-
SSDEEP
49152:/AfYoKy2QirSS9NqgWw8L0M5LLjfan+2QAbv+:yobSS/qHw8oWjf1w+
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
.NET Reactor proctector 22 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2660-2-0x00000000001F0000-0x0000000000660000-memory.dmp net_reactor behavioral1/memory/2660-13-0x00000000001F0000-0x0000000000660000-memory.dmp net_reactor behavioral1/memory/2728-17-0x0000000000BC0000-0x0000000001030000-memory.dmp net_reactor behavioral1/memory/2728-23-0x0000000000BC0000-0x0000000001030000-memory.dmp net_reactor behavioral1/memory/2956-25-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2956-31-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1536-33-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1536-40-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1712-41-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1712-47-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1656-49-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1656-50-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1656-56-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2864-59-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2864-60-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2864-67-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/1680-68-0x00000000023E0000-0x0000000002850000-memory.dmp net_reactor behavioral1/memory/2100-69-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2100-75-0x00000000013C0000-0x0000000001830000-memory.dmp net_reactor behavioral1/memory/2568-77-0x00000000001D0000-0x0000000000640000-memory.dmp net_reactor behavioral1/memory/848-84-0x0000000000330000-0x00000000007A0000-memory.dmp net_reactor behavioral1/memory/2524-91-0x0000000001290000-0x0000000001700000-memory.dmp net_reactor -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1712 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1712 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1656 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2864 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2864 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2100 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2568 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2568 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 848 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 848 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2524 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2524 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 44 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1552 PING.EXE 2332 PING.EXE 2572 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2572 PING.EXE 1552 PING.EXE 2332 PING.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 1712 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 1656 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2864 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2100 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2568 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 848 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe Token: SeDebugPrivilege 2524 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1712 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 1656 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2864 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2100 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2568 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 848 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 2524 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2992 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 29 PID 2660 wrote to memory of 2992 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 29 PID 2660 wrote to memory of 2992 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 29 PID 2660 wrote to memory of 2992 2660 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 29 PID 2992 wrote to memory of 2928 2992 cmd.exe 31 PID 2992 wrote to memory of 2928 2992 cmd.exe 31 PID 2992 wrote to memory of 2928 2992 cmd.exe 31 PID 2992 wrote to memory of 2928 2992 cmd.exe 31 PID 2992 wrote to memory of 2572 2992 cmd.exe 32 PID 2992 wrote to memory of 2572 2992 cmd.exe 32 PID 2992 wrote to memory of 2572 2992 cmd.exe 32 PID 2992 wrote to memory of 2572 2992 cmd.exe 32 PID 2992 wrote to memory of 2728 2992 cmd.exe 33 PID 2992 wrote to memory of 2728 2992 cmd.exe 33 PID 2992 wrote to memory of 2728 2992 cmd.exe 33 PID 2992 wrote to memory of 2728 2992 cmd.exe 33 PID 2728 wrote to memory of 2068 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 34 PID 2728 wrote to memory of 2068 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 34 PID 2728 wrote to memory of 2068 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 34 PID 2728 wrote to memory of 2068 2728 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 34 PID 2068 wrote to memory of 1916 2068 cmd.exe 36 PID 2068 wrote to memory of 1916 2068 cmd.exe 36 PID 2068 wrote to memory of 1916 2068 cmd.exe 36 PID 2068 wrote to memory of 1916 2068 cmd.exe 36 PID 2068 wrote to memory of 1584 2068 cmd.exe 37 PID 2068 wrote to memory of 1584 2068 cmd.exe 37 PID 2068 wrote to memory of 1584 2068 cmd.exe 37 PID 2068 wrote to memory of 1584 2068 cmd.exe 37 PID 1584 wrote to memory of 1688 1584 w32tm.exe 38 PID 1584 wrote to memory of 1688 1584 w32tm.exe 38 PID 1584 wrote to memory of 1688 1584 w32tm.exe 38 PID 1584 wrote to memory of 1688 1584 w32tm.exe 38 PID 2068 wrote to memory of 2956 2068 cmd.exe 39 PID 2068 wrote to memory of 2956 2068 cmd.exe 39 PID 2068 wrote to memory of 2956 2068 cmd.exe 39 PID 2068 wrote to memory of 2956 2068 cmd.exe 39 PID 2956 wrote to memory of 436 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 40 PID 2956 wrote to memory of 436 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 40 PID 2956 wrote to memory of 436 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 40 PID 2956 wrote to memory of 436 2956 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 40 PID 436 wrote to memory of 2348 436 cmd.exe 42 PID 436 wrote to memory of 2348 436 cmd.exe 42 PID 436 wrote to memory of 2348 436 cmd.exe 42 PID 436 wrote to memory of 2348 436 cmd.exe 42 PID 436 wrote to memory of 1148 436 cmd.exe 43 PID 436 wrote to memory of 1148 436 cmd.exe 43 PID 436 wrote to memory of 1148 436 cmd.exe 43 PID 436 wrote to memory of 1148 436 cmd.exe 43 PID 1148 wrote to memory of 1616 1148 w32tm.exe 44 PID 1148 wrote to memory of 1616 1148 w32tm.exe 44 PID 1148 wrote to memory of 1616 1148 w32tm.exe 44 PID 1148 wrote to memory of 1616 1148 w32tm.exe 44 PID 436 wrote to memory of 1536 436 cmd.exe 45 PID 436 wrote to memory of 1536 436 cmd.exe 45 PID 436 wrote to memory of 1536 436 cmd.exe 45 PID 436 wrote to memory of 1536 436 cmd.exe 45 PID 1536 wrote to memory of 2140 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 46 PID 1536 wrote to memory of 2140 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 46 PID 1536 wrote to memory of 2140 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 46 PID 1536 wrote to memory of 2140 1536 a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe 46 PID 2140 wrote to memory of 2168 2140 cmd.exe 48 PID 2140 wrote to memory of 2168 2140 cmd.exe 48 PID 2140 wrote to memory of 2168 2140 cmd.exe 48 PID 2140 wrote to memory of 2168 2140 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gOKbIUOEuG.bat"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RvL1cycbdY.bat"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1688
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1616
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Pe1C5bdOi.bat"10⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1988
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aj397jMwN3.bat"12⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat"14⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"15⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat"16⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"17⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat"18⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"19⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"20⤵
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"C:\Users\Admin\AppData\Local\Temp\a85feae08162e526db1381be09b915954a98509b096f2dcf0e904e603fa0f8c2N.exe"21⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VkZKSVlIY6.bat"22⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279B
MD53ffc654b8b457796cac94f6edada7da4
SHA1c6e4598a2bcec4b7e877642562afd57a44d46a0f
SHA2566f5f9febef67fb91d8eff0f582a06d6677b0df8767880a049dac84f7c46a9aee
SHA51242ee70cde903a484ce5c275d931cc5b437cb034b1922728505629fe84a29f82e196c697b82dcd79042dd3c2f2e9f0a95c9a2994b1061d3e56a82cdba34c3713d
-
Filesize
231B
MD5537a70ea1b2ed82f834133f1d27972f8
SHA11aa184ef46ca67975699bf23f3049649539f5f2f
SHA256220b0c6df3118bba5cd39023ae9429dcb60c9dc37719470437c327c37c58c454
SHA512b537bc22f60311eb294703cae8f8d1d8ad965e53b3f263602d6191ee97d8b2483991226bc2445d657ebf00d4e4d114dd2fb1f6d018c24e03362f6bfa851b5467
-
Filesize
231B
MD5bdb4532e0bfc0c0821397c16b6074a71
SHA1bbaf8a1570c33517c803db936439223477100eb8
SHA25694daeb5d891b09e9185584b218709a9ed1d726ecea29d14e971abdecf649bfb2
SHA51292cd608222206f5e297c08cd684865c2b95a49df95064ecd4a076f052aefe58d5148e472f91d515900ebd410073e99e0c3ead9dbfba5a0b779ac697b9ff04e84
-
Filesize
279B
MD5c9e87f79eade475f44fc8e145c7681b2
SHA157a422a891e0f981161af0d52796e2d784f613e4
SHA256fa13e07a96d2edf2b178ec60c9e88f7055d0c26ab75312c3b702d940b6cd41bd
SHA5124787c11d95c7fbe054770bb80d58af305e318580be110af45447f811bbde69c24435f204bba8dbc7b696e7633e6f120a06983f856fa72fe4565a12d31b511d9b
-
Filesize
279B
MD5797d846d04d8782fca81006115c694f9
SHA18db9ffe44d389172020d1073cdc7e9699c113d84
SHA2566d8553588973a16f5bd62ec3f23d123ae7af77e289545148f31f514f4dfb3443
SHA5128b5a37dbbeed53de6f140538b673a59896205987ab1cde68b7bda40455f25d22b64870454f75f800e726e9fedcce0111816373a91b5923767f007962bb9ce0c1
-
Filesize
279B
MD552f2e3b415249948620901973acb4c01
SHA18bbd5d629ac3a7a382886ea50ae579aafadefd60
SHA256f154fab9aa8268dbf9c39f19180a95be343f74e1fbd25ab63eb4870bc6040820
SHA512f7c15f7ff763520b662a8a4b8cff7fe49d0527585ae9863ba5cf3befc87cc2036016c80f2ef9848ac09ea287a112fb58f6133779f7f46de84cb6fc479b4730cb
-
Filesize
279B
MD5b116f3c061fb0f6d6806a092752ca62d
SHA1406f0f1658674eebe00ae1c55f86e4ba96cd070c
SHA256705f5b38c014cbcaf12a78d8fd48501d6da775ff29841490934c7d6d6c9407e9
SHA5126131ecefed07da0924cb6485be3761f7437f7e6a87920c9fcb7791b6d3bd7400b023911f22c3072552f362129746ec469a16cb2b4e8caf12e2de276efc0d180d
-
Filesize
231B
MD546b9ed806815797d009b2e97448914c8
SHA13f5e039b08e56564b82710b218dbe9a6bc876171
SHA256d7bb55fe444846a1f426450d54bfef75867bb542d4daf5207352d2b7cbbd3d3a
SHA512f9787d17053060b932b87efa71024a173dc9af57ca6b7e095d7b7dfe81a9d4af839dba682759c65c0ed1cf57ae9ddb041a05b00fd735cc18ef2c31c7263eeda7
-
Filesize
279B
MD5ef00c596f5fb77b7ee446247da7c5e42
SHA1d0d3f8380e103016081f6c43a31a52fdd20162d5
SHA2565d36b1fb3487a3d8ed957166b7f0a83a3560047bc8f23131f1b0ca920e7ed00c
SHA51298ef70bb684331ac284e6e530a5f87309b93444d9eda0fa24400bbc2858f354e950927e6c92398a471d63703d6eaf603455b2454b82fa3fa14458825770a662e
-
Filesize
279B
MD583405a454051401934514366ff1def67
SHA1e685f262f1806d7923abb2589c2e2bf297a13c8f
SHA256d3155751627f2256ab51071de7953e49ce90220491fe603884cc04149a471b44
SHA5127b3ef5d1169b65bbd9f7bf021d7c09a3f28028f5ef7dc1fc7a17e906eed41b0725bd13f7ce5a2a3ecab34737819afc2cc260d9ba54bb683313e1089bab463d75
-
Filesize
279B
MD51c23ca83537b2f0ec64c59da4a882095
SHA1effab98ab04e364e23e7227a684718146bb221dc
SHA25601a59b7507b88b6441c25779552af93898f7a30f72aad8e561132ac1c4785a75
SHA5125ef72c1c1303cc37c37bd51562d9a6709032a3c9e88af6d7497073a302fb37cd839563199da05ed4f3e6984883b9dfad7bf73032744f044f5bbc8a210f3e8cc0