dcrat | 5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6296cf36bbbbe91b8ff186d18a08afa3.exe
Size

2.4MB
MD5

6296cf36bbbbe91b8ff186d18a08afa3
SHA1

3c71d4099d817731504433785dd2166f81d8ef15
SHA256

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512

773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP

49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 14 IoCs

pid	Process
2808	ComponentBrowserruntimeHostNet.exe
1928	sppsvc.exe
296	sppsvc.exe
2448	sppsvc.exe
1252	sppsvc.exe
752	sppsvc.exe
3052	sppsvc.exe
1724	sppsvc.exe
2736	sppsvc.exe
2032	sppsvc.exe
1736	sppsvc.exe
1600	sppsvc.exe
1448	sppsvc.exe
2356	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\explorer.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\7a0fd90576e088	ComponentBrowserruntimeHostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6296cf36bbbbe91b8ff186d18a08afa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2580	PING.EXE
2196	PING.EXE
300	PING.EXE
2624	PING.EXE
1544	PING.EXE
2856	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2856	PING.EXE
2580	PING.EXE
2196	PING.EXE
300	PING.EXE
2624	PING.EXE
1544	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 13 IoCs

pid	Process
1928	sppsvc.exe
296	sppsvc.exe
2448	sppsvc.exe
1252	sppsvc.exe
752	sppsvc.exe
3052	sppsvc.exe
1724	sppsvc.exe
2736	sppsvc.exe
2032	sppsvc.exe
1736	sppsvc.exe
1600	sppsvc.exe
1448	sppsvc.exe
2356	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe
2808	ComponentBrowserruntimeHostNet.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	ComponentBrowserruntimeHostNet.exe
Token: SeDebugPrivilege	1928	sppsvc.exe
Token: SeDebugPrivilege	296	sppsvc.exe
Token: SeDebugPrivilege	2448	sppsvc.exe
Token: SeDebugPrivilege	1252	sppsvc.exe
Token: SeDebugPrivilege	752	sppsvc.exe
Token: SeDebugPrivilege	3052	sppsvc.exe
Token: SeDebugPrivilege	1724	sppsvc.exe
Token: SeDebugPrivilege	2736	sppsvc.exe
Token: SeDebugPrivilege	2032	sppsvc.exe
Token: SeDebugPrivilege	1736	sppsvc.exe
Token: SeDebugPrivilege	1600	sppsvc.exe
Token: SeDebugPrivilege	1448	sppsvc.exe
Token: SeDebugPrivilege	2356	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2104	2272	6296cf36bbbbe91b8ff186d18a08afa3.exe	30
PID 2272 wrote to memory of 2104	2272	6296cf36bbbbe91b8ff186d18a08afa3.exe	30
PID 2272 wrote to memory of 2104	2272	6296cf36bbbbe91b8ff186d18a08afa3.exe	30
PID 2272 wrote to memory of 2104	2272	6296cf36bbbbe91b8ff186d18a08afa3.exe	30
PID 2104 wrote to memory of 2716	2104	WScript.exe	31
PID 2104 wrote to memory of 2716	2104	WScript.exe	31
PID 2104 wrote to memory of 2716	2104	WScript.exe	31
PID 2104 wrote to memory of 2716	2104	WScript.exe	31
PID 2716 wrote to memory of 2808	2716	cmd.exe	33
PID 2716 wrote to memory of 2808	2716	cmd.exe	33
PID 2716 wrote to memory of 2808	2716	cmd.exe	33
PID 2716 wrote to memory of 2808	2716	cmd.exe	33
PID 2808 wrote to memory of 2776	2808	ComponentBrowserruntimeHostNet.exe	34
PID 2808 wrote to memory of 2776	2808	ComponentBrowserruntimeHostNet.exe	34
PID 2808 wrote to memory of 2776	2808	ComponentBrowserruntimeHostNet.exe	34
PID 2776 wrote to memory of 2604	2776	cmd.exe	36
PID 2776 wrote to memory of 2604	2776	cmd.exe	36
PID 2776 wrote to memory of 2604	2776	cmd.exe	36
PID 2776 wrote to memory of 2624	2776	cmd.exe	37
PID 2776 wrote to memory of 2624	2776	cmd.exe	37
PID 2776 wrote to memory of 2624	2776	cmd.exe	37
PID 2776 wrote to memory of 1928	2776	cmd.exe	39
PID 2776 wrote to memory of 1928	2776	cmd.exe	39
PID 2776 wrote to memory of 1928	2776	cmd.exe	39
PID 2776 wrote to memory of 1928	2776	cmd.exe	39
PID 2776 wrote to memory of 1928	2776	cmd.exe	39
PID 1928 wrote to memory of 444	1928	sppsvc.exe	40
PID 1928 wrote to memory of 444	1928	sppsvc.exe	40
PID 1928 wrote to memory of 444	1928	sppsvc.exe	40
PID 444 wrote to memory of 992	444	cmd.exe	42
PID 444 wrote to memory of 992	444	cmd.exe	42
PID 444 wrote to memory of 992	444	cmd.exe	42
PID 444 wrote to memory of 1544	444	cmd.exe	43
PID 444 wrote to memory of 1544	444	cmd.exe	43
PID 444 wrote to memory of 1544	444	cmd.exe	43
PID 444 wrote to memory of 296	444	cmd.exe	44
PID 444 wrote to memory of 296	444	cmd.exe	44
PID 444 wrote to memory of 296	444	cmd.exe	44
PID 444 wrote to memory of 296	444	cmd.exe	44
PID 444 wrote to memory of 296	444	cmd.exe	44
PID 296 wrote to memory of 2836	296	sppsvc.exe	45
PID 296 wrote to memory of 2836	296	sppsvc.exe	45
PID 296 wrote to memory of 2836	296	sppsvc.exe	45
PID 2836 wrote to memory of 1224	2836	cmd.exe	47
PID 2836 wrote to memory of 1224	2836	cmd.exe	47
PID 2836 wrote to memory of 1224	2836	cmd.exe	47
PID 2836 wrote to memory of 1404	2836	cmd.exe	48
PID 2836 wrote to memory of 1404	2836	cmd.exe	48
PID 2836 wrote to memory of 1404	2836	cmd.exe	48
PID 2836 wrote to memory of 2448	2836	cmd.exe	49
PID 2836 wrote to memory of 2448	2836	cmd.exe	49
PID 2836 wrote to memory of 2448	2836	cmd.exe	49
PID 2836 wrote to memory of 2448	2836	cmd.exe	49
PID 2836 wrote to memory of 2448	2836	cmd.exe	49
PID 2448 wrote to memory of 832	2448	sppsvc.exe	50
PID 2448 wrote to memory of 832	2448	sppsvc.exe	50
PID 2448 wrote to memory of 832	2448	sppsvc.exe	50
PID 832 wrote to memory of 2308	832	cmd.exe	52
PID 832 wrote to memory of 2308	832	cmd.exe	52
PID 832 wrote to memory of 2308	832	cmd.exe	52
PID 832 wrote to memory of 2968	832	cmd.exe	53
PID 832 wrote to memory of 2968	832	cmd.exe	53
PID 832 wrote to memory of 2968	832	cmd.exe	53
PID 832 wrote to memory of 1252	832	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\6296cf36bbbbe91b8ff186d18a08afa3.exe
"C:\Users\Admin\AppData\Local\Temp\6296cf36bbbbe91b8ff186d18a08afa3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
      "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\idZNlo4kTn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2604
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
      - C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PpUZInWQxB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1404
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2968
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat"
        13⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2292
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTvWQnNRQU.bat"
        15⤵
        
        PID:1656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3056
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat"
        17⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2416
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fSU5VqEBqK.bat"
        19⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2904
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat"
        21⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat"
        23⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ex1oYQHqtZ.bat"
        25⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2668
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cAX6N4jPhb.bat"
        27⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Y7WGTL1T5.bat"
        29⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:920
        
        C:\HypercontainerServerhostDll\sppsvc.exe
        
        "C:\HypercontainerServerhostDll\sppsvc.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AcAxalUZZX.bat"
        31⤵
        
        PID:1332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Filesize
112B

MD5
bfbf412350fa794765180eb365d663fb

SHA1
04021ba70227e0a5f7cf29c7b85d0190f82d7f37

SHA256
b7a5da4f22c70794c60b65e06512f5f3f9e2e2803e98a99567ab859fd56f0f60

SHA512
23b6b4429e43f8fe66b0e37908d1a0580a60938281928b7b98c9fc8fb531ab7c61bc426514990b6e97fa6a95d0509e8934b77480725c748ecec20997e4371139

Download Submit
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Filesize
254B

MD5
fce58ab003f289bc419d62ce02f832fb

SHA1
dfa69ae2ce984c05356fba2074172bce822ed518

SHA256
f7a2151aa23631bde2ff93435f0209ec2a3f8f2aff2b9024f75b5e20a70677b9

SHA512
9284e6ed46b9e60329acb0f4829170fc047ff12990d7b7d8a0e0b739b59905a65318dde0f95992b33a930211bd20d1759e745be6a1f4fa2e58b94f58b514171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Y7WGTL1T5.bat

Filesize
217B

MD5
396f403b80982c73edc4f48271dd7cfd

SHA1
16c26bf3377cb619b9e93086272b2ae62e9fd5df

SHA256
db9592bed614eab0ec993c5810fb8d2e28e39254595e7a42d6ef1c105e89f8f6

SHA512
588e8ccc3d5cf5d790a763690390c2e3da569dcefb19f89f291826fe8474a46fe7d6255afb2066541cb90b6895225fb9fbcc44470346a9ce96ac9f9d88fb3773

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAxalUZZX.bat

Filesize
169B

MD5
e75a5df3807b47ccffc16e997c0c3be2

SHA1
b96d25178f9bddf37fc5276ec456dde2773923bc

SHA256
40811791fb8f6ffeadbcc2e8bc4d5f40c687d46362ccf50ddbdcce012ccba45a

SHA512
b315bf635604873ec0becfc5d4ce656e5b321db1ace658d3d6498b3664fa5a0cb51b347433362f3438be235307efba2dde88d59fd9448587a90a3dbe9c6f4537

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat

Filesize
169B

MD5
382b09817f0ba356706390b3d1e240c2

SHA1
a116306744b7d79720a0c0ebb4088c4de14814eb

SHA256
a2dafe64e2cb8355b633077b3e978c8d5aec814d3c4945f31372f5635649dd3b

SHA512
7a3dc4f9ee4b336a63477c6497180e4a9f3244bfa52fa11650d4c4c48975bc6b4c9c13689d5ab8ee21ac24a819c7bcc28db232b1b7a22a2470c2ea3e2ecdf14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat

Filesize
217B

MD5
12fd63efa0e04176cb28a1f66a05c8c9

SHA1
94a68a7e00b117d222dfa3b711d5521bab7a5b88

SHA256
eece8e8138b2150ff2e72065417cfc605f70f56ba4fd97118c4b6570d72bf298

SHA512
2a75e1affff7ef984911b1eab84b3ccd9338bc65e44fa6345397d1fdf447b9a484ceba25b018b83d2f7e37f450f561fe88d449dc1972913b355a4573650568bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat

Filesize
217B

MD5
bf642e3a06fb44a1248017b02e6393ce

SHA1
380c7107a19637e451d81694b184cce5a4aaa5c7

SHA256
331f909769c01c038f8e062910ff8733930e2e1d5ce590f96510abe2a04955ba

SHA512
f8938d3eaf4c2c1c4fa69a01254eae34c7d86d03fd1e4dfe5bc98a83ede45243dc788df46c5f40f655d2a1450a716bb7d18fbcf73af32633c451aefbd27efe7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat

Filesize
169B

MD5
0bc4c3cbe2c4ef02aca948ae495e066f

SHA1
babb26ebd04a04926491e6f03aa592d5e44347bb

SHA256
8c83582b77773f6a6171f22db1bf058073d8062b36eae70cf3b7f93cfcc83955

SHA512
c4984cc4b2ecb9ee5b243c176a89e4dc90e0e40b8bb4b73a731acbffb99b94fa3fb6e41df92dc5491f1aa143f54a25635fda98390ea75e0a2622ba746d836194

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTvWQnNRQU.bat

Filesize
217B

MD5
b9cd266510789f0d37a6a1cf1abdda0b

SHA1
cd037204861196238407cc894a03004a731523b3

SHA256
72ec7653505e726a69eea05f482e189e7cf471ad991e38d21581418d8847f30f

SHA512
b9acc0ced5a4e27ca7c40a22b588cbfce4ed7088fe48c6eb5370d37c5d663030ef7f53e34b4c8a9861201dd0a7148f329fa6ec5d145eb23e1fb5808789cb60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PpUZInWQxB.bat

Filesize
169B

MD5
85964ef1e8cd6d5b79a6aeedb3f1fed2

SHA1
5d6e19810f9504d594f5547752c823cced38577f

SHA256
e97d21523e63241d64efdfbaec19d830975dc6589aab4915e8b71c8ce3967a1b

SHA512
2b6e071a51e3bcc49f2bc15f0befe1e76bdc4593a4650a08e9533090f2a1cfb6c6b3b497eb453a5cbe228be9abdf5e1bcdb55b99c1f0e9014cc59d6682b08a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat

Filesize
217B

MD5
a5a12bf1d872a0cef4878c4583efbe5c

SHA1
e224ef36cdab86b876b501d872d13be90d5cd2d5

SHA256
bae186b11d2a3cf702416e5bf36578ef98362c7981c4ac8e00199dd0ddfb6bf8

SHA512
9c90b7ddfa2a010d66aac478a00f097dbe2d69824fc4334b31cdecf4dcb0e1ee08686d47297de4e78da61e87fb84410018b20fa50a22d84865f97ee260030cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAX6N4jPhb.bat

Filesize
169B

MD5
c8791af9fcc7d92de13b2314a2b6bf3e

SHA1
9643f09a2efcad40ab38c0fed089e6c6abe72dc4

SHA256
139891e856180fca1c5912fa47a55f15a330382d071ea0c0b870d252d0afff77

SHA512
b2f8bee24871714406a00197070e1cdbe57024442791f12ee1225eef515cb5d2a52be4e09b8e4aecf0b1a0e8d5a5a51dd22b3eb4d4abc6a885537e4195278189

Download Submit
C:\Users\Admin\AppData\Local\Temp\ex1oYQHqtZ.bat

Filesize
217B

MD5
a079769dfb0b9793cb65fd9f59f76a85

SHA1
e8311623bef96fcb6b68583ebf14864d5ec8454b

SHA256
49ad6133d47ab5e91cb1f888be6977cfe436238f59373e6ec8798c7faca46bcd

SHA512
8c744e05e64c19e8986db4812d9946a919b2cb1c6aa337aa47227e92949318ff08cfd7b8b7a2aa590d913f7d9996eba19646d8c4cc0724c5b9424fe40587952b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSU5VqEBqK.bat

Filesize
217B

MD5
46d59fd6d2a5aade415dd1c12ffe9551

SHA1
75b19c11cb2e2087a15aca7e64185befddcdb925

SHA256
165a20165f0cc4b4c6b28205e66fea982b6c23f3d98a1b87cd2a9ef41a93a15e

SHA512
0990d14c58b89b4276b1cae2155e4943dff30b35a72ccf66b434af20c24c3b43873fefb43b25a12862434577e42e11c2a8ec4fb9a568701ff9ecd987d28aa4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\idZNlo4kTn.bat

Filesize
169B

MD5
4b3a6b017663046a2c8316d9cb0a13c1

SHA1
8247bba9e3a87a27c8e5e1b1c6f506b4a55add54

SHA256
1e8de07d0b74315eb47669c25a355e997c9d89c9ae615b0d189e0120ac1500b5

SHA512
3039f4519d4127b3f175f5316084f8d5c866ad54d01e95729840f9a8bbde53c7bf5b6bbff82032047e53d4c62e9dc4b902765dfc00d4177775f260bc8f7e8bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat

Filesize
217B

MD5
b4fa3dcc5340ccc86694f6cb93de78e8

SHA1
a888c5654211473c5a899db6efa9c522ab015630

SHA256
9aa2854377ed0bc4b660537310067a10a03b5d54666059ab83a1d2f15336adcf

SHA512
12ec10931bed0ca446829e293e15b305af1ed62d27c1ad607dd372834837caab20f992c99169650cfdd2c661695388d7f2010d8ac1b7b3cf044b95b5a4da7a8c

Download Submit
\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
bd5df5dc5869453a2501a80c6fc937f4

SHA1
ce691012b4a2a0d75dfb74d54f4f61ab6194ff91

SHA256
c7c51c52d0201decd12006c38608e5e3c935708f5d5014268095040bfae4e479

SHA512
f1a09d8691e0fb0185d14d34bbd664f60d0c3ce4c91d5ad8fceaea98f47b4cec9394def0ef081d24a422ef15c55e2d5ddcd14ae65afb1de6986735398100ea7d

Download Submit
memory/296-51-0x0000000000050000-0x000000000022A000-memory.dmp

Filesize
1.9MB

Download
memory/752-84-0x0000000000F60000-0x000000000113A000-memory.dmp

Filesize
1.9MB

Download
memory/1252-73-0x00000000000C0000-0x000000000029A000-memory.dmp

Filesize
1.9MB

Download
memory/1600-148-0x00000000011B0000-0x000000000138A000-memory.dmp

Filesize
1.9MB

Download
memory/1724-106-0x0000000000130000-0x000000000030A000-memory.dmp

Filesize
1.9MB

Download
memory/1928-40-0x0000000001260000-0x000000000143A000-memory.dmp

Filesize
1.9MB

Download
memory/2356-170-0x00000000012C0000-0x000000000149A000-memory.dmp

Filesize
1.9MB

Download
memory/2448-62-0x0000000000B80000-0x0000000000D5A000-memory.dmp

Filesize
1.9MB

Download
memory/2736-117-0x0000000000AF0000-0x0000000000CCA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-17-0x000000001AC50000-0x000000001AC6C000-memory.dmp

Filesize
112KB

Download
memory/2808-15-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/2808-19-0x000000001AC70000-0x000000001AC88000-memory.dmp

Filesize
96KB

Download
memory/2808-21-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2808-13-0x00000000001C0000-0x000000000039A000-memory.dmp

Filesize
1.9MB

Download