dcrat | 5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
Size

2.4MB
MD5

6296cf36bbbbe91b8ff186d18a08afa3
SHA1

3c71d4099d817731504433785dd2166f81d8ef15
SHA256

5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512

773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP

49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ComponentBrowserruntimeHostNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 17 IoCs

pid	Process
4848	ComponentBrowserruntimeHostNet.exe
2500	winlogon.exe
3304	winlogon.exe
4452	winlogon.exe
3688	winlogon.exe
1684	winlogon.exe
4172	winlogon.exe
3648	winlogon.exe
528	winlogon.exe
4504	winlogon.exe
4100	winlogon.exe
2768	winlogon.exe
636	winlogon.exe
5080	winlogon.exe
780	winlogon.exe
2004	winlogon.exe
5052	winlogon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\cc11b995f2a76d	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\VideoLAN\VLC\lua\taskhostw.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files\VideoLAN\VLC\lua\ea9f0e6c9e2dcd	ComponentBrowserruntimeHostNet.exe
File created	C:\Program Files (x86)\Reference Assemblies\winlogon.exe	ComponentBrowserruntimeHostNet.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\winlogon.exe	ComponentBrowserruntimeHostNet.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPMethods\cmd.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Windows\DiagTrack\Scenarios\dllhost.exe	ComponentBrowserruntimeHostNet.exe
File created	C:\Windows\DiagTrack\Scenarios\5940a34987c991	ComponentBrowserruntimeHostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3240	PING.EXE
2660	PING.EXE
3608	PING.EXE
3036	PING.EXE
4552	PING.EXE
776	PING.EXE
3204	PING.EXE
2232	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	ComponentBrowserruntimeHostNet.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	winlogon.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
3608	PING.EXE
3036	PING.EXE
4552	PING.EXE
776	PING.EXE
3204	PING.EXE
2232	PING.EXE
3240	PING.EXE
2660	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe
4848	ComponentBrowserruntimeHostNet.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	ComponentBrowserruntimeHostNet.exe
Token: SeDebugPrivilege	2500	winlogon.exe
Token: SeDebugPrivilege	3304	winlogon.exe
Token: SeDebugPrivilege	4452	winlogon.exe
Token: SeDebugPrivilege	3688	winlogon.exe
Token: SeDebugPrivilege	1684	winlogon.exe
Token: SeDebugPrivilege	4172	winlogon.exe
Token: SeDebugPrivilege	3648	winlogon.exe
Token: SeDebugPrivilege	528	winlogon.exe
Token: SeDebugPrivilege	4504	winlogon.exe
Token: SeDebugPrivilege	4100	winlogon.exe
Token: SeDebugPrivilege	2768	winlogon.exe
Token: SeDebugPrivilege	636	winlogon.exe
Token: SeDebugPrivilege	5080	winlogon.exe
Token: SeDebugPrivilege	780	winlogon.exe
Token: SeDebugPrivilege	2004	winlogon.exe
Token: SeDebugPrivilege	5052	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 624	3204	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	82
PID 3204 wrote to memory of 624	3204	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	82
PID 3204 wrote to memory of 624	3204	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe	82
PID 624 wrote to memory of 4920	624	WScript.exe	83
PID 624 wrote to memory of 4920	624	WScript.exe	83
PID 624 wrote to memory of 4920	624	WScript.exe	83
PID 4920 wrote to memory of 4848	4920	cmd.exe	85
PID 4920 wrote to memory of 4848	4920	cmd.exe	85
PID 4848 wrote to memory of 812	4848	ComponentBrowserruntimeHostNet.exe	86
PID 4848 wrote to memory of 812	4848	ComponentBrowserruntimeHostNet.exe	86
PID 812 wrote to memory of 3944	812	cmd.exe	88
PID 812 wrote to memory of 3944	812	cmd.exe	88
PID 812 wrote to memory of 2660	812	cmd.exe	89
PID 812 wrote to memory of 2660	812	cmd.exe	89
PID 812 wrote to memory of 2500	812	cmd.exe	97
PID 812 wrote to memory of 2500	812	cmd.exe	97
PID 2500 wrote to memory of 1608	2500	winlogon.exe	98
PID 2500 wrote to memory of 1608	2500	winlogon.exe	98
PID 1608 wrote to memory of 528	1608	cmd.exe	100
PID 1608 wrote to memory of 528	1608	cmd.exe	100
PID 1608 wrote to memory of 3608	1608	cmd.exe	101
PID 1608 wrote to memory of 3608	1608	cmd.exe	101
PID 1608 wrote to memory of 3304	1608	cmd.exe	102
PID 1608 wrote to memory of 3304	1608	cmd.exe	102
PID 3304 wrote to memory of 4128	3304	winlogon.exe	104
PID 3304 wrote to memory of 4128	3304	winlogon.exe	104
PID 4128 wrote to memory of 2920	4128	cmd.exe	106
PID 4128 wrote to memory of 2920	4128	cmd.exe	106
PID 4128 wrote to memory of 1272	4128	cmd.exe	107
PID 4128 wrote to memory of 1272	4128	cmd.exe	107
PID 4128 wrote to memory of 4452	4128	cmd.exe	109
PID 4128 wrote to memory of 4452	4128	cmd.exe	109
PID 4452 wrote to memory of 3204	4452	winlogon.exe	110
PID 4452 wrote to memory of 3204	4452	winlogon.exe	110
PID 3204 wrote to memory of 4480	3204	cmd.exe	112
PID 3204 wrote to memory of 4480	3204	cmd.exe	112
PID 3204 wrote to memory of 4204	3204	cmd.exe	113
PID 3204 wrote to memory of 4204	3204	cmd.exe	113
PID 3204 wrote to memory of 3688	3204	cmd.exe	114
PID 3204 wrote to memory of 3688	3204	cmd.exe	114
PID 3688 wrote to memory of 2164	3688	winlogon.exe	115
PID 3688 wrote to memory of 2164	3688	winlogon.exe	115
PID 2164 wrote to memory of 3984	2164	cmd.exe	117
PID 2164 wrote to memory of 3984	2164	cmd.exe	117
PID 2164 wrote to memory of 3036	2164	cmd.exe	118
PID 2164 wrote to memory of 3036	2164	cmd.exe	118
PID 2164 wrote to memory of 1684	2164	cmd.exe	119
PID 2164 wrote to memory of 1684	2164	cmd.exe	119
PID 1684 wrote to memory of 1160	1684	winlogon.exe	120
PID 1684 wrote to memory of 1160	1684	winlogon.exe	120
PID 1160 wrote to memory of 2648	1160	cmd.exe	122
PID 1160 wrote to memory of 2648	1160	cmd.exe	122
PID 1160 wrote to memory of 2416	1160	cmd.exe	123
PID 1160 wrote to memory of 2416	1160	cmd.exe	123
PID 1160 wrote to memory of 4172	1160	cmd.exe	124
PID 1160 wrote to memory of 4172	1160	cmd.exe	124
PID 4172 wrote to memory of 4836	4172	winlogon.exe	125
PID 4172 wrote to memory of 4836	4172	winlogon.exe	125
PID 4836 wrote to memory of 3412	4836	cmd.exe	127
PID 4836 wrote to memory of 3412	4836	cmd.exe	127
PID 4836 wrote to memory of 4552	4836	cmd.exe	128
PID 4836 wrote to memory of 4552	4836	cmd.exe	128
PID 4836 wrote to memory of 3648	4836	cmd.exe	129
PID 4836 wrote to memory of 3648	4836	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe
"C:\Users\Admin\AppData\Local\Temp\5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
      "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H6ZOOeEqUi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3944
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
      - C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KPSM4TCvyK.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3608
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1272
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4204
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2416
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4552
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KPSM4TCvyK.bat"
        19⤵
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat"
        21⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:396
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"
        23⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3824
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fIZrPQRpQG.bat"
        25⤵
        
        PID:1216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3204
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        27⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:524
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat"
        29⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1068
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
        31⤵
        
        PID:4176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2660
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat"
        33⤵
        
        PID:4572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2540
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wopTFFySxd.bat"
        35⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
        
        C:\Program Files (x86)\Reference Assemblies\winlogon.exe
        
        "C:\Program Files (x86)\Reference Assemblies\winlogon.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat"
        37⤵
        
        PID:228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Filesize
112B

MD5
bfbf412350fa794765180eb365d663fb

SHA1
04021ba70227e0a5f7cf29c7b85d0190f82d7f37

SHA256
b7a5da4f22c70794c60b65e06512f5f3f9e2e2803e98a99567ab859fd56f0f60

SHA512
23b6b4429e43f8fe66b0e37908d1a0580a60938281928b7b98c9fc8fb531ab7c61bc426514990b6e97fa6a95d0509e8934b77480725c748ecec20997e4371139

Download Submit
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Filesize
1.8MB

MD5
bd5df5dc5869453a2501a80c6fc937f4

SHA1
ce691012b4a2a0d75dfb74d54f4f61ab6194ff91

SHA256
c7c51c52d0201decd12006c38608e5e3c935708f5d5014268095040bfae4e479

SHA512
f1a09d8691e0fb0185d14d34bbd664f60d0c3ce4c91d5ad8fceaea98f47b4cec9394def0ef081d24a422ef15c55e2d5ddcd14ae65afb1de6986735398100ea7d

Download Submit
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Filesize
254B

MD5
fce58ab003f289bc419d62ce02f832fb

SHA1
dfa69ae2ce984c05356fba2074172bce822ed518

SHA256
f7a2151aa23631bde2ff93435f0209ec2a3f8f2aff2b9024f75b5e20a70677b9

SHA512
9284e6ed46b9e60329acb0f4829170fc047ff12990d7b7d8a0e0b739b59905a65318dde0f95992b33a930211bd20d1759e745be6a1f4fa2e58b94f58b514171f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat

Filesize
232B

MD5
a3d3668c60bc8daa2bab86dab6991f94

SHA1
4983e4541e85add7c4b31c3e1af7c9cccda06f64

SHA256
ef805c0cb9d3fd60c9109c3ab77155019943d0710802ade266b2dabea16a536d

SHA512
6867faff8b39dd3ce8613bab1908c3c046b1a240a0d17b90309da47bea825c78622fc082410a5b5fe49d55cd133bba42379bde8bc7447d8f89c84d20f5c48ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat

Filesize
184B

MD5
1d2de7089fda7a594d1831c634b0b949

SHA1
5788000218b3dfa05932caf794f93c398ed4d046

SHA256
915bb4e8102a7213660f89e821f2f4516aea43a960f7f1326745303c795de9e9

SHA512
3e59df969d0ce837888dc7875f43dd51f2edb314db49d817ee4933b8e033d99b304083d1c3b1632051b60a6002cb03f36bafbef191c29e510d2f42f25e3639cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat

Filesize
184B

MD5
0facd6fd37158da9364afb5d757bd0e1

SHA1
35186d97be1d23a9dcc6e255e03d5eb506951df4

SHA256
14e45169ebe46e2994c3eea7c9402917a14295305e70f7dca41126aea3a5a69f

SHA512
4dbc22db0940137d1989f2b7f7685641fffebcfd3cbba462321f9debce263f32bea0b6b9f53bd92848a7fd06fdc9c86060a9c7cc2260031524fbf6db7a01119b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H6ZOOeEqUi.bat

Filesize
184B

MD5
45e8e970125f823a5cf90509a1fc480c

SHA1
54c81ed5476471f75336f421a2633b2994c38c39

SHA256
8304129321443faf9d608a18eb3191d6aa9aeab4b53051ac67698c0e3a651d59

SHA512
549c61a2f9403122e260b0449ff0c8a3c9e9c9a620e53034c9f4a31576c63f738445e0ee3276cf4665fd3027928147e66325b5d491e0f75381eb1a5dfade6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KPSM4TCvyK.bat

Filesize
184B

MD5
f8fa2b8ba67908bda994aaad73c0766e

SHA1
47cc8ac9539588f10386aeba76c628f6c0faa1df

SHA256
90d6deb159f545fbe65dd330a0bb08f493f4984d4374c7c99a7548108110f7f5

SHA512
9ff1943b0110b6979b4ac1f3f7830ffd8a5dd9006ba9bd58b4795da43740d6081f5588f2820935e5f679f053e22e1d3634418f38f6b2e45e9e1dea1f624ee156

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat

Filesize
232B

MD5
e65a3b2f98c1e420c875efc0bd701a83

SHA1
dae38b86bb7dd55a16e19c7fd511bc5147407f3e

SHA256
07eb6f2ea4ea0b0e37f984cfd6f9cf7b0e2acd0afea90b0e8a092ed6e0b13640

SHA512
b033ec8ce4fa30c6fdd3fdd7b6697e00f88cc88a9b33d7784647670b3568e3d00e768e062e4a393fe2c1d77ac23d0b6f9548e7552fa2e638919a67df78cd7cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat

Filesize
184B

MD5
1b691717c9b5d08cb0154d603393f2f3

SHA1
a19b50e9cc1bd689c90aa43d5514d4dbc617c687

SHA256
86b1d151cd205c35ec3361c7b98844cddaf3cd5d7e2b3b199453793ab68023bb

SHA512
3714d01265ac3e48df2d9068de5212251471a4a4c31f19061fcdce8f2ac3fa54f698cdc40b5f569b38c09305053051494fdf3fbf5a24f60922980f14294c831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIZrPQRpQG.bat

Filesize
184B

MD5
20ca4c7f971de9e0e81cb17e71d61095

SHA1
67583d84b6a4852de9a56ca3683196601660dcc3

SHA256
f80ea1db14ebcf6727310c36f84059946a9786ecbc6511f901af62f1861556e4

SHA512
90213f9593be0363aa95363676cd1152fc41080e530c1bce0aa6a5156f9eafd68878fad5a8496a110c61cca612e8ca065038bf6bd4b6a7aeec658c98eef1a38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat

Filesize
232B

MD5
a4538b287466922a6d97e4c76fe1eec1

SHA1
4302086831e4be2525d84e42227a40f23efd3291

SHA256
e0bd36b1c4fba14dd7d8e7e2de247fe15a7df6dfa28ed3cd5f55595ca646f38d

SHA512
51145ccdc59c188870034ed8088457bcba4a621634d9e71dfa9ca9f993a22f7dfcebdf3628c64445f80bae688ad864278a858298a45713daaed18932aaceb88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1znnYI5tX.bat

Filesize
232B

MD5
c49f90034543b0e835c074e89878fa8d

SHA1
aa0afdb662d2c957e22e0ee160de6b5f81764824

SHA256
b7d6fdf7db88fdde1dca7f92aca5d16a931a6795d0a1c3a596975cc2b580b090

SHA512
2f4ce03cb359960958f589bb87c1aec6b7ef5d7a43b6f0b4b7ac39d50ddcee2ce315039435c88c9b015dc558ddae34596d9f9139ea960cab764a916aa1d885ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
232B

MD5
51909cd62063247422516ee5cb96e9af

SHA1
2dd9400d38ce9f83ed839cf1cd9e094e6b66c6c5

SHA256
e0189a293e5abc799cb121db5701d85dbf8f2fe9cd0186e6c801631b4fec457b

SHA512
5aa46cc0e0644cdbb4e541ede1aba579f78e6ea2afc5bd470023cbd0526d3baa4685f07fb683b47807f3d5b938335d075a938bb49b395c19ad89708c0ec7aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat

Filesize
232B

MD5
ee253b000710c5269df408a0261c9bd7

SHA1
eced5cdc90a1687a3d07082a955e71bf1fc50008

SHA256
0e0f13071366269b6f3d550895b3396c083570b7f36728ae6a93b773737951bd

SHA512
f4f477c4503da976b2201047a34823853c3207fb675f4749d94fb94cf7858e1cbcc1ff0610a2fb0da3f3a86079e2f90a42000ff4be6f2a632377126ac1b560f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wopTFFySxd.bat

Filesize
184B

MD5
328913cb2d97b9b85c3d1581eeb70e8e

SHA1
84294f8c3f90b621dff9fb6c0660ea50ebd58241

SHA256
d23cb9500774792bd1d677c60338a761039cd189bc8c3bbdd797abb3d93b3111

SHA512
c86000b98c7bb13f7ce832d108c29e18ecd4820e75d0482038c66a38a99327b0844b094640d70455644f83dbe9cb2d28cff94a2682b60ac9ef05e021fec161e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat

Filesize
232B

MD5
a331d485a1d1d48becfab31abb0d5589

SHA1
5d77730a59543b5c8bbef184f8b0e5b3494b2acd

SHA256
f020c6451f4432ed9dba6fb0028a6404c50197ce9a04f2820c9e71cdf3c62be2

SHA512
4dac5eef55f535ec81e2ec78b4816855009329454f665e1059e0d99cf14f1b98120f7839d273e29d827faa843fd9472a9d85b86a2a1bbf1220b46b005189f451

Download Submit
memory/4848-22-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/4848-20-0x000000001AFB0000-0x000000001AFC8000-memory.dmp

Filesize
96KB

Download
memory/4848-18-0x000000001B240000-0x000000001B290000-memory.dmp

Filesize
320KB

Download
memory/4848-17-0x000000001AD80000-0x000000001AD9C000-memory.dmp

Filesize
112KB

Download
memory/4848-15-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/4848-13-0x0000000000070000-0x000000000024A000-memory.dmp

Filesize
1.9MB

Download
memory/4848-12-0x00007FFAA25B3000-0x00007FFAA25B5000-memory.dmp

Filesize
8KB

Download