dcrat | 9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

483KB
MD5

80f82098b4ff87c7980403091b1b17bd
SHA1

e148a4bf5d34eddec309012bfb68e459d9129e5b
SHA256

9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623
SHA512

f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a
SSDEEP

6144:rSpXb1XT7pvYgsVaeR2gmwhqLhyImR+/tVZecPmzF7aPM1Ujvbj7SHMsz61+:rOr1Xnppc3hTVStVscVPGSXmHj61+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3472-1-0x0000000000670000-0x00000000006F0000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0007000000023c9c-10.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 18 IoCs

pid	Process
4808	OfficeClickToRun.exe
1048	OfficeClickToRun.exe
5012	OfficeClickToRun.exe
1244	OfficeClickToRun.exe
1336	OfficeClickToRun.exe
5060	OfficeClickToRun.exe
5068	OfficeClickToRun.exe
1920	OfficeClickToRun.exe
1808	OfficeClickToRun.exe
1200	OfficeClickToRun.exe
2208	OfficeClickToRun.exe
1524	OfficeClickToRun.exe
5096	OfficeClickToRun.exe
4444	OfficeClickToRun.exe
4912	OfficeClickToRun.exe
5092	OfficeClickToRun.exe
1556	OfficeClickToRun.exe
3328	OfficeClickToRun.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe	2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\e6c9b481da804f	2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\aa97147c4c782d	2.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe	2.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9	2.exe
File created	C:\Windows\assembly\tmp\MusNotification.exe	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2388	PING.EXE
396	PING.EXE
3068	PING.EXE
1872	PING.EXE
4716	PING.EXE
348	PING.EXE
1980	PING.EXE
4108	PING.EXE
3260	PING.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	2.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2388	PING.EXE
396	PING.EXE
1980	PING.EXE
4108	PING.EXE
4716	PING.EXE
348	PING.EXE
3068	PING.EXE
1872	PING.EXE
3260	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe
3472	2.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	2.exe
Token: SeDebugPrivilege	4808	OfficeClickToRun.exe
Token: SeDebugPrivilege	1048	OfficeClickToRun.exe
Token: SeDebugPrivilege	5012	OfficeClickToRun.exe
Token: SeDebugPrivilege	1244	OfficeClickToRun.exe
Token: SeDebugPrivilege	1336	OfficeClickToRun.exe
Token: SeDebugPrivilege	5060	OfficeClickToRun.exe
Token: SeDebugPrivilege	5068	OfficeClickToRun.exe
Token: SeDebugPrivilege	1920	OfficeClickToRun.exe
Token: SeDebugPrivilege	1808	OfficeClickToRun.exe
Token: SeDebugPrivilege	1200	OfficeClickToRun.exe
Token: SeDebugPrivilege	2208	OfficeClickToRun.exe
Token: SeDebugPrivilege	1524	OfficeClickToRun.exe
Token: SeDebugPrivilege	5096	OfficeClickToRun.exe
Token: SeDebugPrivilege	4444	OfficeClickToRun.exe
Token: SeDebugPrivilege	4912	OfficeClickToRun.exe
Token: SeDebugPrivilege	5092	OfficeClickToRun.exe
Token: SeDebugPrivilege	1556	OfficeClickToRun.exe
Token: SeDebugPrivilege	3328	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4856	3472	2.exe	83
PID 3472 wrote to memory of 4856	3472	2.exe	83
PID 4856 wrote to memory of 3616	4856	cmd.exe	85
PID 4856 wrote to memory of 3616	4856	cmd.exe	85
PID 4856 wrote to memory of 1336	4856	cmd.exe	86
PID 4856 wrote to memory of 1336	4856	cmd.exe	86
PID 4856 wrote to memory of 4808	4856	cmd.exe	88
PID 4856 wrote to memory of 4808	4856	cmd.exe	88
PID 4808 wrote to memory of 3324	4808	OfficeClickToRun.exe	89
PID 4808 wrote to memory of 3324	4808	OfficeClickToRun.exe	89
PID 3324 wrote to memory of 848	3324	cmd.exe	91
PID 3324 wrote to memory of 848	3324	cmd.exe	91
PID 3324 wrote to memory of 796	3324	cmd.exe	92
PID 3324 wrote to memory of 796	3324	cmd.exe	92
PID 3324 wrote to memory of 1048	3324	cmd.exe	102
PID 3324 wrote to memory of 1048	3324	cmd.exe	102
PID 1048 wrote to memory of 2308	1048	OfficeClickToRun.exe	103
PID 1048 wrote to memory of 2308	1048	OfficeClickToRun.exe	103
PID 2308 wrote to memory of 4116	2308	cmd.exe	105
PID 2308 wrote to memory of 4116	2308	cmd.exe	105
PID 2308 wrote to memory of 2388	2308	cmd.exe	106
PID 2308 wrote to memory of 2388	2308	cmd.exe	106
PID 2308 wrote to memory of 5012	2308	cmd.exe	112
PID 2308 wrote to memory of 5012	2308	cmd.exe	112
PID 5012 wrote to memory of 1200	5012	OfficeClickToRun.exe	113
PID 5012 wrote to memory of 1200	5012	OfficeClickToRun.exe	113
PID 1200 wrote to memory of 2464	1200	cmd.exe	115
PID 1200 wrote to memory of 2464	1200	cmd.exe	115
PID 1200 wrote to memory of 396	1200	cmd.exe	116
PID 1200 wrote to memory of 396	1200	cmd.exe	116
PID 1200 wrote to memory of 1244	1200	cmd.exe	120
PID 1200 wrote to memory of 1244	1200	cmd.exe	120
PID 1244 wrote to memory of 2424	1244	OfficeClickToRun.exe	122
PID 1244 wrote to memory of 2424	1244	OfficeClickToRun.exe	122
PID 2424 wrote to memory of 3644	2424	cmd.exe	124
PID 2424 wrote to memory of 3644	2424	cmd.exe	124
PID 2424 wrote to memory of 1980	2424	cmd.exe	125
PID 2424 wrote to memory of 1980	2424	cmd.exe	125
PID 2424 wrote to memory of 1336	2424	cmd.exe	127
PID 2424 wrote to memory of 1336	2424	cmd.exe	127
PID 1336 wrote to memory of 3656	1336	OfficeClickToRun.exe	128
PID 1336 wrote to memory of 3656	1336	OfficeClickToRun.exe	128
PID 3656 wrote to memory of 1936	3656	cmd.exe	130
PID 3656 wrote to memory of 1936	3656	cmd.exe	130
PID 3656 wrote to memory of 1624	3656	cmd.exe	131
PID 3656 wrote to memory of 1624	3656	cmd.exe	131
PID 3656 wrote to memory of 5060	3656	cmd.exe	133
PID 3656 wrote to memory of 5060	3656	cmd.exe	133
PID 5060 wrote to memory of 4608	5060	OfficeClickToRun.exe	134
PID 5060 wrote to memory of 4608	5060	OfficeClickToRun.exe	134
PID 4608 wrote to memory of 4716	4608	cmd.exe	136
PID 4608 wrote to memory of 4716	4608	cmd.exe	136
PID 4608 wrote to memory of 1784	4608	cmd.exe	137
PID 4608 wrote to memory of 1784	4608	cmd.exe	137
PID 4608 wrote to memory of 5068	4608	cmd.exe	139
PID 4608 wrote to memory of 5068	4608	cmd.exe	139
PID 5068 wrote to memory of 4320	5068	OfficeClickToRun.exe	140
PID 5068 wrote to memory of 4320	5068	OfficeClickToRun.exe	140
PID 4320 wrote to memory of 3168	4320	cmd.exe	142
PID 4320 wrote to memory of 3168	4320	cmd.exe	142
PID 4320 wrote to memory of 2672	4320	cmd.exe	143
PID 4320 wrote to memory of 2672	4320	cmd.exe	143
PID 4320 wrote to memory of 1920	4320	cmd.exe	145
PID 4320 wrote to memory of 1920	4320	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cvtZha2OOy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3616
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1336
- - C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
    "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:848
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:796
    - - C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SrnQwv5hL3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ETZZ9TGUYL.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1624
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1784
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2672
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat"
        18⤵
        
        PID:4404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        20⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KfiEaGEkVw.bat"
        22⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T5cYRg4YXy.bat"
        24⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3260
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat"
        26⤵
        
        PID:4580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4716
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat"
        28⤵
        
        PID:4304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1932
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat"
        30⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:928
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xxJyJeiq1z.bat"
        32⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4276
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat"
        34⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2960
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat"
        36⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4072
        
        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFkRehGdMQ.bat"
        38⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\OfficeClickToRun.exe

Filesize
483KB

MD5
80f82098b4ff87c7980403091b1b17bd

SHA1
e148a4bf5d34eddec309012bfb68e459d9129e5b

SHA256
9d616be0e9388f525e3256467fd034bb7b647e6aca98ca64b46475cf0b2bf623

SHA512
f44b97af2199f5573eef474e78bc6acbac560455ef5730c4101588c40531099f3784787df95d885dc5756cb7913a2864b7a0987876aac75acfdb7ab1eeffff1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
0f31e501ab247a1b471e8e69930fda3d

SHA1
cc4a26314aad742126f6df0e92b777a786eade0b

SHA256
f6562e9acf0bb58a78a8ad59d5bc88bdf7a2508b84745605dfc28a19f60e4742

SHA512
65c14701fa94622aca52146b0f2d501ac2acdd4acd2a4c666903a800f26310832404a66478f861dd9b10a0a74d99e2b683fb73aef5d153b7ac26aabb96cfea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat

Filesize
208B

MD5
37bc2616c29f12efe3156e80afcdf990

SHA1
adfa53618d3aaa92c203b4540276347cb383b6af

SHA256
af395894a9772bcde448ea201b1945960bde9bf79b7e9b70b366da2b80c1728d

SHA512
5b0a07a6c79cde1eb8258d02a418574a1fde4102b8034e34a62cca81a3eecf7e412b0d624e15a6f4e8172961c2a49109c9d46546f78c53b126e27622ad3071b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat

Filesize
208B

MD5
3e4523dfc48dd60f237add5193659fa0

SHA1
ed75f31139635604b20b0186f5adb3f43a78ebb7

SHA256
020caff747719474201d996335f25c526c28c62d5b57ae7493a845b32fa95ae9

SHA512
c109bf2e5cd16d04b5534292eb796cb31b47271f1b08b46316d8ec9058d56630ce47d375333f44673b10385d1c45e56ee6ae0aff3036023315aa8b243496d900

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFkRehGdMQ.bat

Filesize
208B

MD5
62e9f10ea897bced9328431283138d5f

SHA1
078f9bf3ef7a4b78a4d8950a230f365479276990

SHA256
3150fe4d8cfd4ee4feca7f8665c84cba52128857a6a50a9fdbfee7e40e799687

SHA512
2dd233a869575fb0800432f2450d92dae559c55c8ce893c5460aed104320fd73e442e48a99375aa7fe9717c26e9a7d2cd5e0fd0bad48b14f11e873e6f5f9df82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETZZ9TGUYL.bat

Filesize
208B

MD5
619fbff4cbd8d70437ff9207020880f4

SHA1
4894301325452856d79852203df31d75b2ac6234

SHA256
1709200b87f0edcc9d4f5d54f83913092c0901796cddad95a81d35b1dd44d39d

SHA512
937800b8e4a7dab4fa336ac13aafe36a08ccc6a220b53a39ca2f843924e47dd70fd7adbfff46efeb891ad6757d4d0473404f210b13c743707c89d96ca1ffc80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

Filesize
208B

MD5
ab0ebd7e9e68c5e05f3704a7f083bcc3

SHA1
7d59756c67c5e28669e770a74d56d412acbcefff

SHA256
e0a698f64c121327ef9de5c244e1dea60e577f3c5b79dc284e4f4eb7cf01d7e6

SHA512
f2b267a80d7949ee35e289ce6495ffe4828dc39e50a905725e0ebd85954f61936f5492870b8a53deee08235a299c50d0ad2014e7d92ccbe35ca1a6e41acce353

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfiEaGEkVw.bat

Filesize
208B

MD5
3dc1608b5d0bb8e690af6c2553b7543d

SHA1
60c4770909bee8a157381be735257535e77563fe

SHA256
1a5a43002925ff22707a06d9d6596004c4af053e8f4bf449537aacbc685d3e6b

SHA512
4370fab40007cf86a7af5c6c39d0f91c817ac1e4d38214a5d26ddedf3d3dd9444fb407803bd19152ebf272416aedbece4dde47df55588df02ea08da9b402fc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat

Filesize
256B

MD5
317f62719f16d39734b0845638d08788

SHA1
e54ba3a2d5e4cd725ba2fb076a2a3fb45b5b4a9d

SHA256
2f7043381e576ebd3b5447f524e858b49edcda24f2502479dcb174b554a0989a

SHA512
37e80cb48970bb25227be0efadc1066e489fdd872d6e5ed966403bd31fb4721b4c98f5542f3224c2499119d2194baa23b328bea73a344281aa1e7113abfc0559

Download Submit
C:\Users\Admin\AppData\Local\Temp\SrnQwv5hL3.bat

Filesize
208B

MD5
79419c8b8093f75f61cbd29450d088cd

SHA1
9955fd90d4bed6db46a9cf4774dae02ec1fa9e3c

SHA256
e95f9c2ba6ebd1021dcda6014efce6ff1672b82b1af6221d5893ef1715228b27

SHA512
8f8785a767df91fd6bfe31368a737849259f5f4701a5d9e6f244f9ff751a0e96df41ad12256f79a5d05268210b3ce516aaeb3c5bff12357ca103a28a842f119a

Download Submit
C:\Users\Admin\AppData\Local\Temp\T5cYRg4YXy.bat

Filesize
208B

MD5
bda15ef9b34205d77341392ffc55bec9

SHA1
a91ca7931f00129b91b72aa91fd9605c05c6b4ee

SHA256
2b840aa4651f03f2079b64f162b878a89c31fd6ec6b892aae7e24514eb2a1e63

SHA512
d023041c05c9ef99fa367714585e16c0878c421144ec5601dd6fb1ae1fdff8c056628ebcf7ebea29fe110fd66708e482c2f7af990376a31ede0023009da051eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat

Filesize
256B

MD5
ff8745eb06d0eaf35a05ce5aa88c60dd

SHA1
a37afae512415ff860045980a0b899e1a68dc474

SHA256
99bd41827b8ac76e32da06dbe05fbb7ec78203ab266b08931a667ccf0502358c

SHA512
1c1a70689d16e75892d55a788b7b5c83d4bcd82ee286f9f73c5f9fbdd093c8d501de23f734e9966dd31682e22acfb3a30fa761ca7acf6f7a59710eb2696e0392

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtZha2OOy.bat

Filesize
256B

MD5
48bf3ee8f34660febe347f4c967ca609

SHA1
3e5aded14d60a4f816b203c5e70511023031d463

SHA256
c5bc8ee51b67bbbcde1c825f219ec7c45d26ff7dea658e4717eaa6fb05bb8a91

SHA512
dbde89854812146e324de060a92308fa7b4fd942e8c494aab640d77ed75a28439460e49906bec84ad5c4d25861e586769bed37546a7e0ed34c36f6588b73c5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\psxgKE21Xe.bat

Filesize
256B

MD5
585cc733c8b3b2c70dfc6fed5ed199a2

SHA1
4b08d4493c529e2b24fbee193f6a13ea8c1a9f4e

SHA256
4e694b1eb6a392be3287ad81713780e7dcd8b46b6ea9ff755c329f69e9a4e93c

SHA512
a051e9e14a094959650e94e99623a664d3b991d325f5ee0015aa9565fdb3ac11044dcd816951c4de64364af51cdadfc390e5d6d9f923110d44785722c59541da

Download Submit
C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat

Filesize
208B

MD5
8a69c578c01d0ddd7645b5348d7f7199

SHA1
73b29cc4e6eb88b2d5d4c350b5fd284d982c180b

SHA256
cefbd683e5e909c548619347f917cc30c0061d2428061cce04f39b49486af5e8

SHA512
c6d5e29086374c4b944a67a92d965f4bd9f38f59db69983196c5c8cbd5ab03a6124a80597b7e481b81c0f059b8c1ba402b10efc5750ad69d0a7abb2ec89b40ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxJyJeiq1z.bat

Filesize
256B

MD5
a30261a99d2307635a0897587c10f1c2

SHA1
228ae4777a7e0a1f5516f575fd555d3067486cee

SHA256
9fca064174251ac5c620b4b3cc441a909acfb947b166ac09fad05ad37900a4ab

SHA512
3227bcbe6f0498e63280a88e87e31cf65c068ef0dc626bd0fb3f7692bd7feada3a7a1b9da103741d0207985f7661f76071a3181be64ad5ffcba508f4419dba30

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat

Filesize
256B

MD5
708d97cd88fc426994c2034c3aa9c820

SHA1
6ea629d335aee37c8894ab298f03f19d7fa34518

SHA256
8ca7e57a1644e78f9fe4b288d7297b32b7b8d1ec464d4569d165a75aae7f5731

SHA512
b3e01a58c216eb2fac514d84dac8b56d22eebe7ae8ca063b3df0242eb787f59224e94f6cadba7ea049146ed376c515c7c39d1a7a59f8d7fd3562f8703b43105c

Download Submit
memory/3472-19-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-0-0x00007FF940713000-0x00007FF940715000-memory.dmp

Filesize
8KB

Download
memory/3472-15-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-1-0x0000000000670000-0x00000000006F0000-memory.dmp

Filesize
512KB

Download
memory/4808-24-0x00007FF93FE70000-0x00007FF940931000-memory.dmp

Filesize
10.8MB

Download
memory/4808-23-0x00007FF93FE70000-0x00007FF940931000-memory.dmp

Filesize
10.8MB

Download
memory/4808-30-0x00007FF93FE70000-0x00007FF940931000-memory.dmp

Filesize
10.8MB

Download