dcrat | 5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
Size

2.4MB
MD5

6296cf36bbbbe91b8ff186d18a08afa3
SHA1

3c71d4099d817731504433785dd2166f81d8ef15
SHA256

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512

773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP

49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 13 IoCs

pid	Process
2948	ComponentBrowserruntimeHostNet.exe
2412	conhost.exe
2176	conhost.exe
2084	conhost.exe
2484	conhost.exe
1968	conhost.exe
1068	conhost.exe
2536	conhost.exe
1960	conhost.exe
1488	conhost.exe
2128	conhost.exe
1092	conhost.exe
1164	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	cmd.exe
2124	cmd.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\dwm.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Windows Defender\6cb0b6c459d5d3	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Windows Journal\es-ES\conhost.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\Windows Journal\es-ES\088424020bedd6	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	ComponentBrowserruntimeHostNet.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	ComponentBrowserruntimeHostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2188	PING.EXE
2792	PING.EXE
2060	PING.EXE
2336	PING.EXE
1020	PING.EXE
2704	PING.EXE
1672	PING.EXE
2548	PING.EXE
3044	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE
2060	PING.EXE
2188	PING.EXE
2548	PING.EXE
3044	PING.EXE
2792	PING.EXE
2704	PING.EXE
1672	PING.EXE
1020	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe
2948	ComponentBrowserruntimeHostNet.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	ComponentBrowserruntimeHostNet.exe
Token: SeDebugPrivilege	2412	conhost.exe
Token: SeDebugPrivilege	2176	conhost.exe
Token: SeDebugPrivilege	2084	conhost.exe
Token: SeDebugPrivilege	2484	conhost.exe
Token: SeDebugPrivilege	1968	conhost.exe
Token: SeDebugPrivilege	1068	conhost.exe
Token: SeDebugPrivilege	2536	conhost.exe
Token: SeDebugPrivilege	1960	conhost.exe
Token: SeDebugPrivilege	1488	conhost.exe
Token: SeDebugPrivilege	2128	conhost.exe
Token: SeDebugPrivilege	1092	conhost.exe
Token: SeDebugPrivilege	1164	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2160	1704	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	30
PID 1704 wrote to memory of 2160	1704	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	30
PID 1704 wrote to memory of 2160	1704	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	30
PID 1704 wrote to memory of 2160	1704	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	30
PID 2160 wrote to memory of 2124	2160	WScript.exe	31
PID 2160 wrote to memory of 2124	2160	WScript.exe	31
PID 2160 wrote to memory of 2124	2160	WScript.exe	31
PID 2160 wrote to memory of 2124	2160	WScript.exe	31
PID 2124 wrote to memory of 2948	2124	cmd.exe	33
PID 2124 wrote to memory of 2948	2124	cmd.exe	33
PID 2124 wrote to memory of 2948	2124	cmd.exe	33
PID 2124 wrote to memory of 2948	2124	cmd.exe	33
PID 2948 wrote to memory of 2504	2948	ComponentBrowserruntimeHostNet.exe	34
PID 2948 wrote to memory of 2504	2948	ComponentBrowserruntimeHostNet.exe	34
PID 2948 wrote to memory of 2504	2948	ComponentBrowserruntimeHostNet.exe	34
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2972	2504	cmd.exe	36
PID 2504 wrote to memory of 2704	2504	cmd.exe	37
PID 2504 wrote to memory of 2704	2504	cmd.exe	37
PID 2504 wrote to memory of 2704	2504	cmd.exe	37
PID 2504 wrote to memory of 2412	2504	cmd.exe	39
PID 2504 wrote to memory of 2412	2504	cmd.exe	39
PID 2504 wrote to memory of 2412	2504	cmd.exe	39
PID 2412 wrote to memory of 2348	2412	conhost.exe	40
PID 2412 wrote to memory of 2348	2412	conhost.exe	40
PID 2412 wrote to memory of 2348	2412	conhost.exe	40
PID 2348 wrote to memory of 2908	2348	cmd.exe	42
PID 2348 wrote to memory of 2908	2348	cmd.exe	42
PID 2348 wrote to memory of 2908	2348	cmd.exe	42
PID 2348 wrote to memory of 3008	2348	cmd.exe	43
PID 2348 wrote to memory of 3008	2348	cmd.exe	43
PID 2348 wrote to memory of 3008	2348	cmd.exe	43
PID 2348 wrote to memory of 2176	2348	cmd.exe	44
PID 2348 wrote to memory of 2176	2348	cmd.exe	44
PID 2348 wrote to memory of 2176	2348	cmd.exe	44
PID 2176 wrote to memory of 2804	2176	conhost.exe	45
PID 2176 wrote to memory of 2804	2176	conhost.exe	45
PID 2176 wrote to memory of 2804	2176	conhost.exe	45
PID 2804 wrote to memory of 2600	2804	cmd.exe	47
PID 2804 wrote to memory of 2600	2804	cmd.exe	47
PID 2804 wrote to memory of 2600	2804	cmd.exe	47
PID 2804 wrote to memory of 2188	2804	cmd.exe	48
PID 2804 wrote to memory of 2188	2804	cmd.exe	48
PID 2804 wrote to memory of 2188	2804	cmd.exe	48
PID 2804 wrote to memory of 2084	2804	cmd.exe	49
PID 2804 wrote to memory of 2084	2804	cmd.exe	49
PID 2804 wrote to memory of 2084	2804	cmd.exe	49
PID 2084 wrote to memory of 2608	2084	conhost.exe	50
PID 2084 wrote to memory of 2608	2084	conhost.exe	50
PID 2084 wrote to memory of 2608	2084	conhost.exe	50
PID 2608 wrote to memory of 2668	2608	cmd.exe	52
PID 2608 wrote to memory of 2668	2608	cmd.exe	52
PID 2608 wrote to memory of 2668	2608	cmd.exe	52
PID 2608 wrote to memory of 1832	2608	cmd.exe	53
PID 2608 wrote to memory of 1832	2608	cmd.exe	53
PID 2608 wrote to memory of 1832	2608	cmd.exe	53
PID 2608 wrote to memory of 2484	2608	cmd.exe	54
PID 2608 wrote to memory of 2484	2608	cmd.exe	54
PID 2608 wrote to memory of 2484	2608	cmd.exe	54
PID 2484 wrote to memory of 2532	2484	conhost.exe	55
PID 2484 wrote to memory of 2532	2484	conhost.exe	55
PID 2484 wrote to memory of 2532	2484	conhost.exe	55
PID 2532 wrote to memory of 292	2532	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
"C:\Users\Admin\AppData\Local\Temp\5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
      "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fWi31OW3JE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2972
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
      - C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3008
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dy6IB2J8ca.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1832
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MRBwkdmBhu.bat"
        15⤵
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2200
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat"
        17⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b8nWhu89y1.bat"
        19⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
        21⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat"
        23⤵
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
        25⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XN8oWRXMLz.bat"
        27⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2252
        
        C:\Program Files\Windows Journal\es-ES\conhost.exe
        
        "C:\Program Files\Windows Journal\es-ES\conhost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        29⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Filesize
112B

MD5
bfbf412350fa794765180eb365d663fb

SHA1
04021ba70227e0a5f7cf29c7b85d0190f82d7f37

SHA256
b7a5da4f22c70794c60b65e06512f5f3f9e2e2803e98a99567ab859fd56f0f60

SHA512
23b6b4429e43f8fe66b0e37908d1a0580a60938281928b7b98c9fc8fb531ab7c61bc426514990b6e97fa6a95d0509e8934b77480725c748ecec20997e4371139

Download Submit
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Filesize
254B

MD5
fce58ab003f289bc419d62ce02f832fb

SHA1
dfa69ae2ce984c05356fba2074172bce822ed518

SHA256
f7a2151aa23631bde2ff93435f0209ec2a3f8f2aff2b9024f75b5e20a70677b9

SHA512
9284e6ed46b9e60329acb0f4829170fc047ff12990d7b7d8a0e0b739b59905a65318dde0f95992b33a930211bd20d1759e745be6a1f4fa2e58b94f58b514171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dy6IB2J8ca.bat

Filesize
178B

MD5
73038547239db63cf5ae433529f497e4

SHA1
543434e8b8937dae0b9d2a341323711534ff67ce

SHA256
d1cc18b83f424e04fcd414a65ff9e9b1521a3d1471105f3a7a7b45147d257c78

SHA512
1fc3386dc704f36b0d4f13a4dd9293f9cbbf68706b79896c061a1d1d4fefbc6881235f656a544b34b600b76ecd48be086b77e4500a017f4797572409bca3c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRBwkdmBhu.bat

Filesize
226B

MD5
8cab8bfcd46edeed9918ed8f3473267d

SHA1
9f4157c6de5db5d90ee47233992b5d6768a566d5

SHA256
4185a425f82926b6e371de35770d7dc157de871bde798e0b086c62ad7e9a442c

SHA512
c0f602b06d2392260d8ae4f9fdab1cae94fd91224dd20f0df7a1e89e1c359b70eff2ae5f9289d7c474b59da1f18162067679c46aa9630268a0a257cabf51191c

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat

Filesize
178B

MD5
9283a868e63f045ea16f22231a4099d7

SHA1
801e6eed21decc45b58d9d6d7b6617e90e6b4741

SHA256
e059546dc1906c2c21fae665c75a1c3e268d039ce6cbba0cfd9e375326b12a19

SHA512
714a938879d0da9506e7e01bb68c338dce74b7d736c56d7724535c77a1737323b2981f2d7dd92799ec8e4ea58179f931f864d9bb760c190a4fa72f3f752b43b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XN8oWRXMLz.bat

Filesize
226B

MD5
48002343beda26d7f491485c92429cee

SHA1
7272e79b5bae097fcf77015af91c58ee8ca621a2

SHA256
5880bb7f268656c1b11fd458e5f172a146dd1680a511edc35ba1284d784a84c9

SHA512
eec0b8164248a1ae42731c4d799a9395724c67fa136024119c746e8d78b70a320cf7977abab8b6cc4e432848002d2e6452f86e03d2b824815666b84ecd26b520

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFxA7ALGfV.bat

Filesize
178B

MD5
f4ecd1d798c6d206f78e802ce14ddb90

SHA1
bd02fd23c581386ca524073c9e8c76739c8e367c

SHA256
f386045681949b3a85897302d75742c2a1baa608892038ac326241371a8c7c09

SHA512
02d7db9bbeb8af7809170ec9340575d8c74d2281a02a68ed6ca8697c67fa77f2ec91107367b739a749d190e6b9d42579b55bbfe8d42287d64de4b92d87946118

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8nWhu89y1.bat

Filesize
178B

MD5
a7431c2e19f89717cc213b28678e0272

SHA1
06bbfc0027ea2ce6077b3f19a30af6ad3868ebf2

SHA256
083a914ea00c11f001aa547077e2c75f3ad0cfbd24b68363070f5840e6af712d

SHA512
40840a95163a2db5d7e1fd787ec6e44ae0d56b33abeebb0451e97ee1cf8853fcde5c7b5ca45f11f4487ab0b98048dd7582de47bc86a0f439cde7bbe28994051d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat

Filesize
178B

MD5
71d1b85e3d02a8f06637c1781a1e1cb8

SHA1
859e99dfe93fe648d7a8eacf6cc94932cda92aec

SHA256
fd4b2a633edd2575fbc25a4d539ce3256cb22bb1325777d9ea2ead3208996dcf

SHA512
186f3c6668e0cf73f74917e64a1c18949eca86d836db68c9536691a0db3cd7f1feb8241b5f82fa5284b75112fa6f7d3398ddee83a3c73b8f8b26feb064e695ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWi31OW3JE.bat

Filesize
178B

MD5
4b91c36635ebb6519a36ff6e104e5701

SHA1
e795928560a19ce94fa4a4724abeb59f89e0cf99

SHA256
145ab8a41fb1abad4f710afa96f206b7b7d54836f76fbfcc2d7ff88ec4d84c23

SHA512
8bf71248cd517b9cb0cc5b19fd6ddd60df522abc0f13994faf44589df8e1620cefd2e55a11442f682a26a8e7acd5b5eec8b53308c2efa850807a2215242d2469

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
178B

MD5
248766d8ebed292d47f3568861920ee2

SHA1
47ab4c82ca3ddb1640327521d2651017c7309701

SHA256
32361ebbf5784533c5c4e6749e9b376db7cc7693d3a29c8d1077202c4de38229

SHA512
613bdfafad3d75e8c4e83b0a1f4d3cec3d5af6e12d518403c91d7f974f9c21e61d44172931c92921cb07f145befa87beb16d76e3bf8089b6803956a51f80f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat

Filesize
226B

MD5
4674167ca7fc80fa3310c8614fe10476

SHA1
4cb3af145a2a18edf5072c50716a9a99ccd99c25

SHA256
b44464ad4cefc5c851d1c35c98b9feeb54439ef3a1605b40f4cf32dbc00c77f0

SHA512
68b9f3f501e1714738ba971f145b490e8c9a76ade2b3393b8715950274134b369bb852d6eb7b8284debcbee43d4535078351929516025aad87334287862d97b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat

Filesize
226B

MD5
f9b92b27863ad9e31594b5348796021b

SHA1
c54fd189323954e48152b92086aa9ba2c132407d

SHA256
3fca8160fb66e1c7eb6d3df823cb0db3e5ccb05d8e7c2036031d5d5af0064147

SHA512
5b1159c6c83a2c7c18927b1be62c26e07782c31f44e4c754a7089ee0bb9ab5a40e63b6bb32beb5726abf77c00c481da922f96251adfb22c11a2c2254122853c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
178B

MD5
20010f12eb96b717dd45920290b1eded

SHA1
114654e00d38563d6878b0281302e73ee819efd1

SHA256
9bf46b783a437d60bdecd2d4599fba97f07c9e8749c652fce5024c3430546e37

SHA512
e83b879ce375402d238dc2b736ad547c9b70fc99d4f9e50b1ec6871e160fb210e5b2b3cf1758975a7a35d48256b3968e96c03737d0c52d4ab3f149b65150f86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat

Filesize
178B

MD5
7d45241f39c94f7ff429171312fbafde

SHA1
f5a06de4df2eb15580c051e30ef4d8e7973ccbfc

SHA256
d3501d7098f57fcd7ea1455e0fb7ae04fe991132bb02ba97a0f8641a33cbe083

SHA512
ca09b02ab9d3902a3ac6386ac622bf8783939ddf65a27ffe83847bd3f4b8eaa6f33e4f2386760684f216e02b14191caae179819de584f17f36c3c3a8bf2ce5e7

Download Submit
\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
bd5df5dc5869453a2501a80c6fc937f4

SHA1
ce691012b4a2a0d75dfb74d54f4f61ab6194ff91

SHA256
c7c51c52d0201decd12006c38608e5e3c935708f5d5014268095040bfae4e479

SHA512
f1a09d8691e0fb0185d14d34bbd664f60d0c3ce4c91d5ad8fceaea98f47b4cec9394def0ef081d24a422ef15c55e2d5ddcd14ae65afb1de6986735398100ea7d

Download Submit
memory/1488-123-0x00000000001B0000-0x000000000038A000-memory.dmp

Filesize
1.9MB

Download
memory/2128-134-0x00000000000B0000-0x000000000028A000-memory.dmp

Filesize
1.9MB

Download
memory/2412-40-0x0000000001350000-0x000000000152A000-memory.dmp

Filesize
1.9MB

Download
memory/2948-21-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/2948-15-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2948-13-0x0000000000C70000-0x0000000000E4A000-memory.dmp

Filesize
1.9MB

Download
memory/2948-17-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2948-19-0x0000000000A30000-0x0000000000A48000-memory.dmp

Filesize
96KB

Download