dcrat | 5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70

Analysis

max time kernel
102s
max time network
103s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-12-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

2.4MB
MD5

6296cf36bbbbe91b8ff186d18a08afa3
SHA1

3c71d4099d817731504433785dd2166f81d8ef15
SHA256

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512

773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP

49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 11 IoCs

pid	Process
3872	ComponentBrowserruntimeHostNet.exe
3528	SppExtComObj.exe
4756	SppExtComObj.exe
2664	SppExtComObj.exe
636	SppExtComObj.exe
4796	SppExtComObj.exe
2208	SppExtComObj.exe
1556	SppExtComObj.exe
2476	SppExtComObj.exe
1880	SppExtComObj.exe
552	SppExtComObj.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\ComponentBrowserruntimeHostNet.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\7695831dfd402e	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\e1ef82546f0b02	ComponentBrowserruntimeHostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2116	PING.EXE
732	PING.EXE
3792	PING.EXE
2896	PING.EXE
2956	PING.EXE
1720	PING.EXE
1948	PING.EXE

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	SppExtComObj.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE
2116	PING.EXE
732	PING.EXE
3792	PING.EXE
2896	PING.EXE
2956	PING.EXE
1720	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe
3872	ComponentBrowserruntimeHostNet.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	ComponentBrowserruntimeHostNet.exe
Token: SeDebugPrivilege	3528	SppExtComObj.exe
Token: SeDebugPrivilege	4756	SppExtComObj.exe
Token: SeDebugPrivilege	2664	SppExtComObj.exe
Token: SeDebugPrivilege	636	SppExtComObj.exe
Token: SeDebugPrivilege	4796	SppExtComObj.exe
Token: SeDebugPrivilege	2208	SppExtComObj.exe
Token: SeDebugPrivilege	1556	SppExtComObj.exe
Token: SeDebugPrivilege	2476	SppExtComObj.exe
Token: SeDebugPrivilege	1880	SppExtComObj.exe
Token: SeDebugPrivilege	552	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 764	4348	svchost.exe	82
PID 4348 wrote to memory of 764	4348	svchost.exe	82
PID 4348 wrote to memory of 764	4348	svchost.exe	82
PID 764 wrote to memory of 768	764	WScript.exe	86
PID 764 wrote to memory of 768	764	WScript.exe	86
PID 764 wrote to memory of 768	764	WScript.exe	86
PID 768 wrote to memory of 3872	768	cmd.exe	88
PID 768 wrote to memory of 3872	768	cmd.exe	88
PID 3872 wrote to memory of 4332	3872	ComponentBrowserruntimeHostNet.exe	90
PID 3872 wrote to memory of 4332	3872	ComponentBrowserruntimeHostNet.exe	90
PID 4332 wrote to memory of 3500	4332	cmd.exe	92
PID 4332 wrote to memory of 3500	4332	cmd.exe	92
PID 4332 wrote to memory of 2116	4332	cmd.exe	93
PID 4332 wrote to memory of 2116	4332	cmd.exe	93
PID 4332 wrote to memory of 3528	4332	cmd.exe	97
PID 4332 wrote to memory of 3528	4332	cmd.exe	97
PID 3528 wrote to memory of 4616	3528	SppExtComObj.exe	98
PID 3528 wrote to memory of 4616	3528	SppExtComObj.exe	98
PID 4616 wrote to memory of 4760	4616	cmd.exe	100
PID 4616 wrote to memory of 4760	4616	cmd.exe	100
PID 4616 wrote to memory of 1560	4616	cmd.exe	101
PID 4616 wrote to memory of 1560	4616	cmd.exe	101
PID 4616 wrote to memory of 4756	4616	cmd.exe	102
PID 4616 wrote to memory of 4756	4616	cmd.exe	102
PID 4756 wrote to memory of 2152	4756	SppExtComObj.exe	103
PID 4756 wrote to memory of 2152	4756	SppExtComObj.exe	103
PID 2152 wrote to memory of 4664	2152	cmd.exe	105
PID 2152 wrote to memory of 4664	2152	cmd.exe	105
PID 2152 wrote to memory of 732	2152	cmd.exe	106
PID 2152 wrote to memory of 732	2152	cmd.exe	106
PID 2152 wrote to memory of 2664	2152	cmd.exe	108
PID 2152 wrote to memory of 2664	2152	cmd.exe	108
PID 2664 wrote to memory of 4828	2664	SppExtComObj.exe	109
PID 2664 wrote to memory of 4828	2664	SppExtComObj.exe	109
PID 4828 wrote to memory of 4560	4828	cmd.exe	111
PID 4828 wrote to memory of 4560	4828	cmd.exe	111
PID 4828 wrote to memory of 3924	4828	cmd.exe	112
PID 4828 wrote to memory of 3924	4828	cmd.exe	112
PID 4828 wrote to memory of 636	4828	cmd.exe	113
PID 4828 wrote to memory of 636	4828	cmd.exe	113
PID 636 wrote to memory of 4984	636	SppExtComObj.exe	114
PID 636 wrote to memory of 4984	636	SppExtComObj.exe	114
PID 4984 wrote to memory of 3760	4984	cmd.exe	116
PID 4984 wrote to memory of 3760	4984	cmd.exe	116
PID 4984 wrote to memory of 3792	4984	cmd.exe	117
PID 4984 wrote to memory of 3792	4984	cmd.exe	117
PID 4984 wrote to memory of 4796	4984	cmd.exe	118
PID 4984 wrote to memory of 4796	4984	cmd.exe	118
PID 4796 wrote to memory of 2516	4796	SppExtComObj.exe	119
PID 4796 wrote to memory of 2516	4796	SppExtComObj.exe	119
PID 2516 wrote to memory of 2068	2516	cmd.exe	121
PID 2516 wrote to memory of 2068	2516	cmd.exe	121
PID 2516 wrote to memory of 2896	2516	cmd.exe	122
PID 2516 wrote to memory of 2896	2516	cmd.exe	122
PID 2516 wrote to memory of 2208	2516	cmd.exe	123
PID 2516 wrote to memory of 2208	2516	cmd.exe	123
PID 2208 wrote to memory of 3592	2208	SppExtComObj.exe	124
PID 2208 wrote to memory of 3592	2208	SppExtComObj.exe	124
PID 3592 wrote to memory of 3352	3592	cmd.exe	126
PID 3592 wrote to memory of 3352	3592	cmd.exe	126
PID 3592 wrote to memory of 3164	3592	cmd.exe	127
PID 3592 wrote to memory of 3164	3592	cmd.exe	127
PID 3592 wrote to memory of 1556	3592	cmd.exe	128
PID 3592 wrote to memory of 1556	3592	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
      "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\361m8v62KO.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3500
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1560
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3924
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IjhYHMnc89.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3792
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3164
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\liBLcijL4Q.bat"
        19⤵
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4408
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cO0v9X3fOA.bat"
        21⤵
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat"
        23⤵
        
        PID:732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iEW5dCkeha.bat"
        25⤵
        
        PID:4528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Filesize
112B

MD5
bfbf412350fa794765180eb365d663fb

SHA1
04021ba70227e0a5f7cf29c7b85d0190f82d7f37

SHA256
b7a5da4f22c70794c60b65e06512f5f3f9e2e2803e98a99567ab859fd56f0f60

SHA512
23b6b4429e43f8fe66b0e37908d1a0580a60938281928b7b98c9fc8fb531ab7c61bc426514990b6e97fa6a95d0509e8934b77480725c748ecec20997e4371139

Download Submit
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
bd5df5dc5869453a2501a80c6fc937f4

SHA1
ce691012b4a2a0d75dfb74d54f4f61ab6194ff91

SHA256
c7c51c52d0201decd12006c38608e5e3c935708f5d5014268095040bfae4e479

SHA512
f1a09d8691e0fb0185d14d34bbd664f60d0c3ce4c91d5ad8fceaea98f47b4cec9394def0ef081d24a422ef15c55e2d5ddcd14ae65afb1de6986735398100ea7d

Download Submit
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Filesize
254B

MD5
fce58ab003f289bc419d62ce02f832fb

SHA1
dfa69ae2ce984c05356fba2074172bce822ed518

SHA256
f7a2151aa23631bde2ff93435f0209ec2a3f8f2aff2b9024f75b5e20a70677b9

SHA512
9284e6ed46b9e60329acb0f4829170fc047ff12990d7b7d8a0e0b739b59905a65318dde0f95992b33a930211bd20d1759e745be6a1f4fa2e58b94f58b514171f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
69fde678382b66258b4b778118d8ab82

SHA1
10082382d38de4b8e2f787f92980855a8d871d84

SHA256
5c791046f8bbab87b43f0c09cef48712b1547defcd4e82a741a42b94491407e2

SHA512
80c0089675b86f771d27a590398202016cf34286882acde0aeb2d30c54e65f5f3df0ddc1705ec779b2b5578c7c693def9a5f66a0d5c6883114421465ade8472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\361m8v62KO.bat

Filesize
213B

MD5
a77aa61f00a8cb9929c00e7d7a4eed8f

SHA1
84a6bd29d5e3964852fab1d89a7624b683c374ec

SHA256
0009e5ca3d69ffc934669a8e7dba9ed35436cd05c4c92f94ead60e4095e73c34

SHA512
12309f55b750bc8d12e9800b9feb86ec3534553e9bcf6990de25c4012fd84ce7bef524f6b1d64fbcf1d6310ec32685adaede23b9ef14cf76b267d89380ae09a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SG4wIGqnh.bat

Filesize
261B

MD5
59cefc4d504c88d43e9da440b2f71e13

SHA1
7e93a19b14d08661b63b785344f0cd1cd5345618

SHA256
eabe1e255bca2253a3830c23b72c95550cc4d17869bf0b69a67e38e588afcdf7

SHA512
ab589e15aedf7aa250a32280a868fec359498f3c7a73c989f3aead889edee21c6de43fdc87a55e00cbafa5feaa435303f332a29efa164b1f6fa41a5568985e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vvLuoFXBX.bat

Filesize
213B

MD5
38b8336df589aa0a4a78367b29aea711

SHA1
a5cfec6d2c8e68eaaacccad5aa8c6e61107574f9

SHA256
b56beaace444f3807919376797ba2bc82f2d4af19f6af64cd362440463119503

SHA512
322bb3c1e4d9b14a4d7590cff88834e91f157ac150a769774f7657812ebed73716d02e239da390e0ee31c19f9ae8a5e04c7f42eccdea103ff07ad583fea40050

Download Submit
C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat

Filesize
213B

MD5
c14aef662a5f97ef20fe6b9da53ea63e

SHA1
ed1e9aafc3035d9566f65a3e66cd420398f341e0

SHA256
08203de48c8f3bc45598cbc468a51910f27894279bfe7510d6babe473fd807bc

SHA512
895270738d9cca556aaf9a1f65902d7ecc3a7ce0b85bc5aca819c37a78a85e1b84cacd72046dc8774b5884bc2c9b7d4d5209b205e8832b19a7e2043a9691eb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat

Filesize
261B

MD5
9c73e65040b80013abc6be5aad963013

SHA1
f1de1b38e2a26e466b9d62d20bcf6c47028b3f26

SHA256
e7d52ae19f2243891bae1eb2cac6d0c34246f80fd45be3e773ed1d4248db47d7

SHA512
b7491d4246f954c7d0b483b67359d5e1c34ef0d1e2e2bbd4ed1de5caa1661512130dc614a747ac8e921f87ea161695affc8d2d876cc62317a3211da6a7fd96d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IjhYHMnc89.bat

Filesize
213B

MD5
169fabaebcc2ae95b932883104bfdf66

SHA1
2c028b4d4a8a1c9bf9032592032fd252f28b6ad1

SHA256
5ec0ffe65af19d86bf077fefb5e74d9342a7b5c4b649d8b4b83e1c3910e24d36

SHA512
9b7a9aa1020bf3a5e2178de3e1d2a7b356ea1036380b5fdfddc0733d1ceb549423ff10db6df06d02e17f95bab7b6bb22e0ae9ce2e3ac30975dd7a8c8edb7e648

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat

Filesize
261B

MD5
9f37881b65fc1bb8da02007a3e5a67fd

SHA1
4e1032df45b03ba81088906cc33b777ddc465239

SHA256
338ff4ae6a4faa6a0edee9c615117c28d38874dee8c6768e6979efd44e2ffdcf

SHA512
d2badde2ca3724eb79b523fc5376350f8464ccba520d06f2504a34dc2663f8b1555a8ac2bc22e7d37cf7aa6be2bc6f6c353a0afb1c3ae37aee5082dee3cdd20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cO0v9X3fOA.bat

Filesize
213B

MD5
921b28d1a803e2248510b04356b383ea

SHA1
dcbe67e02d9cea8623dca4f8ad4e0d7bd7cc8a8a

SHA256
87a3f00628b57d76a5e021bd219b17079e4d71b403a7a4929f926a874106545b

SHA512
d5ff9bce75aa80d964ca29d1ec673298f4e6b4f5e1692e0d8b166eb8daa2e7a3b2bd318759deb0187a1d1675585c9d9d8d781992a85ce5e0e0661af872fcf682

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEW5dCkeha.bat

Filesize
213B

MD5
9bbb28c4e131aea6ac39b49f33753bb1

SHA1
7da09d020f408ef1ae9f19c74f7adf762d06c253

SHA256
dbb7765d0204b8431c2a0227a044d343ce0e514ef535498b86a7d8bda77cdbcf

SHA512
38bfd8f190a1c537f3a58ee7697f6e1e28a99683bab7de33bbbf4b9f046b4d4e4fff3c27f47956b2f6e83df7c3fb2ee0904843287cd56ab44ee7c867b3bd4f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\liBLcijL4Q.bat

Filesize
261B

MD5
74d8fd17fee57f44ee4ae2a38321279c

SHA1
c76afd9820518d410835b13150a825d798f8d5f9

SHA256
a50062fa3f386e589f4f9eaad51c3fcc15d99b83a0369db2ba9af072a792d354

SHA512
cb39e2632651764622e4ea7ed8a676c014a1acc7c703bb1d7d8baf49e9941ddd329a0cf0675725e43a0dba16b55d7d0f87237d755a7639bd160519cd86d87d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat

Filesize
213B

MD5
155c34a61df7547fe49541038614db73

SHA1
2ce825524208aff99afe2b767337ccbe6210cead

SHA256
c1f77c96ce62df0c6c6e17e3b38692acee274e621fc187a0645562d599e2d6c6

SHA512
e32b1f91c53ed3d4e54be90ab82a58d51b87108ae015d9883a5b247d1291a1e8ea2a7b82f68e69647d69ef49edca86b86c20949e5d0ed3fd4b685b430622f5ce

Download Submit
memory/552-181-0x000000001B3C0000-0x000000001B42B000-memory.dmp

Filesize
428KB

Download
memory/636-97-0x000000001BAA0000-0x000000001BB0B000-memory.dmp

Filesize
428KB

Download
memory/1556-139-0x000000001B080000-0x000000001B0EB000-memory.dmp

Filesize
428KB

Download
memory/1880-167-0x000000001B030000-0x000000001B09B000-memory.dmp

Filesize
428KB

Download
memory/2208-125-0x000000001BC40000-0x000000001BCAB000-memory.dmp

Filesize
428KB

Download
memory/2476-153-0x000000001B990000-0x000000001B9FB000-memory.dmp

Filesize
428KB

Download
memory/2664-83-0x000000001C060000-0x000000001C0CB000-memory.dmp

Filesize
428KB

Download
memory/3528-54-0x000000001BD40000-0x000000001BDAB000-memory.dmp

Filesize
428KB

Download
memory/3872-20-0x00000000032C0000-0x00000000032DC000-memory.dmp

Filesize
112KB

Download
memory/3872-18-0x0000000001AA0000-0x0000000001AAE000-memory.dmp

Filesize
56KB

Download
memory/3872-16-0x0000000000FC0000-0x000000000119A000-memory.dmp

Filesize
1.9MB

Download
memory/3872-21-0x0000000003350000-0x00000000033A0000-memory.dmp

Filesize
320KB

Download
memory/3872-23-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/3872-25-0x00000000032A0000-0x00000000032AC000-memory.dmp

Filesize
48KB

Download
memory/3872-15-0x00007FFD4E903000-0x00007FFD4E905000-memory.dmp

Filesize
8KB

Download
memory/4756-69-0x000000001B470000-0x000000001B4DB000-memory.dmp

Filesize
428KB

Download
memory/4796-111-0x000000001B980000-0x000000001B9EB000-memory.dmp

Filesize
428KB

Download