dcrat | 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2024, 21:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Size

3.5MB
MD5

6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1

0eba0dd22b3f5053798eba26e027ef7383602774
SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512

f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d
SSDEEP

98304:HCLp6aQhP2k4Xrn/kRCH9ldADNbkAiS5uSM:HK6P2k4XD/kRCd/8YTSm

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 12 IoCs

pid	Process
3632	smss.exe
4384	smss.exe
1408	smss.exe
1468	smss.exe
1976	smss.exe
220	smss.exe
4928	smss.exe
4596	smss.exe
2280	smss.exe
744	smss.exe
1084	smss.exe
5080	smss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
File created	C:\Program Files\Crashpad\reports\Idle.exe	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
File opened for modification	C:\Program Files\Crashpad\reports\Idle.exe	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
File created	C:\Program Files\Crashpad\reports\6ccacd8608530f	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\wininit.exe	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
File created	C:\Windows\ShellExperiences\56085415360792	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5112	PING.EXE
3920	PING.EXE
4072	PING.EXE
3828	PING.EXE
1000	PING.EXE
2536	PING.EXE
3316	PING.EXE

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1000	PING.EXE
2536	PING.EXE
3316	PING.EXE
5112	PING.EXE
3920	PING.EXE
4072	PING.EXE
3828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
Token: SeDebugPrivilege	3632	smss.exe
Token: SeDebugPrivilege	4384	smss.exe
Token: SeDebugPrivilege	1408	smss.exe
Token: SeDebugPrivilege	1468	smss.exe
Token: SeDebugPrivilege	1976	smss.exe
Token: SeDebugPrivilege	220	smss.exe
Token: SeDebugPrivilege	4928	smss.exe
Token: SeDebugPrivilege	4596	smss.exe
Token: SeDebugPrivilege	2280	smss.exe
Token: SeDebugPrivilege	744	smss.exe
Token: SeDebugPrivilege	1084	smss.exe
Token: SeDebugPrivilege	5080	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 5076	2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe	87
PID 2012 wrote to memory of 5076	2012	6C5F6433BAE4CBF3DC2D1FD40B716B08.exe	87
PID 5076 wrote to memory of 3808	5076	cmd.exe	89
PID 5076 wrote to memory of 3808	5076	cmd.exe	89
PID 5076 wrote to memory of 3828	5076	cmd.exe	91
PID 5076 wrote to memory of 3828	5076	cmd.exe	91
PID 5076 wrote to memory of 3632	5076	cmd.exe	99
PID 5076 wrote to memory of 3632	5076	cmd.exe	99
PID 3632 wrote to memory of 4960	3632	smss.exe	101
PID 3632 wrote to memory of 4960	3632	smss.exe	101
PID 4960 wrote to memory of 3216	4960	cmd.exe	103
PID 4960 wrote to memory of 3216	4960	cmd.exe	103
PID 4960 wrote to memory of 4824	4960	cmd.exe	104
PID 4960 wrote to memory of 4824	4960	cmd.exe	104
PID 4960 wrote to memory of 4384	4960	cmd.exe	106
PID 4960 wrote to memory of 4384	4960	cmd.exe	106
PID 4384 wrote to memory of 1036	4384	smss.exe	111
PID 4384 wrote to memory of 1036	4384	smss.exe	111
PID 1036 wrote to memory of 4120	1036	cmd.exe	113
PID 1036 wrote to memory of 4120	1036	cmd.exe	113
PID 1036 wrote to memory of 4744	1036	cmd.exe	114
PID 1036 wrote to memory of 4744	1036	cmd.exe	114
PID 1036 wrote to memory of 1408	1036	cmd.exe	116
PID 1036 wrote to memory of 1408	1036	cmd.exe	116
PID 1408 wrote to memory of 3100	1408	smss.exe	119
PID 1408 wrote to memory of 3100	1408	smss.exe	119
PID 3100 wrote to memory of 2948	3100	cmd.exe	121
PID 3100 wrote to memory of 2948	3100	cmd.exe	121
PID 3100 wrote to memory of 4440	3100	cmd.exe	122
PID 3100 wrote to memory of 4440	3100	cmd.exe	122
PID 3100 wrote to memory of 1468	3100	cmd.exe	125
PID 3100 wrote to memory of 1468	3100	cmd.exe	125
PID 1468 wrote to memory of 4844	1468	smss.exe	130
PID 1468 wrote to memory of 4844	1468	smss.exe	130
PID 4844 wrote to memory of 1732	4844	cmd.exe	132
PID 4844 wrote to memory of 1732	4844	cmd.exe	132
PID 4844 wrote to memory of 1000	4844	cmd.exe	133
PID 4844 wrote to memory of 1000	4844	cmd.exe	133
PID 4844 wrote to memory of 1976	4844	cmd.exe	135
PID 4844 wrote to memory of 1976	4844	cmd.exe	135
PID 1976 wrote to memory of 4876	1976	smss.exe	138
PID 1976 wrote to memory of 4876	1976	smss.exe	138
PID 4876 wrote to memory of 1776	4876	cmd.exe	140
PID 4876 wrote to memory of 1776	4876	cmd.exe	140
PID 4876 wrote to memory of 4168	4876	cmd.exe	141
PID 4876 wrote to memory of 4168	4876	cmd.exe	141
PID 4876 wrote to memory of 220	4876	cmd.exe	143
PID 4876 wrote to memory of 220	4876	cmd.exe	143
PID 220 wrote to memory of 3152	220	smss.exe	146
PID 220 wrote to memory of 3152	220	smss.exe	146
PID 3152 wrote to memory of 1164	3152	cmd.exe	148
PID 3152 wrote to memory of 1164	3152	cmd.exe	148
PID 3152 wrote to memory of 2536	3152	cmd.exe	149
PID 3152 wrote to memory of 2536	3152	cmd.exe	149
PID 3152 wrote to memory of 4928	3152	cmd.exe	153
PID 3152 wrote to memory of 4928	3152	cmd.exe	153
PID 4928 wrote to memory of 2800	4928	smss.exe	156
PID 4928 wrote to memory of 2800	4928	smss.exe	156
PID 2800 wrote to memory of 1916	2800	cmd.exe	158
PID 2800 wrote to memory of 1916	2800	cmd.exe	158
PID 2800 wrote to memory of 3316	2800	cmd.exe	159
PID 2800 wrote to memory of 3316	2800	cmd.exe	159
PID 2800 wrote to memory of 4596	2800	cmd.exe	161
PID 2800 wrote to memory of 4596	2800	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\6C5F6433BAE4CBF3DC2D1FD40B716B08.exe
"C:\Users\Admin\AppData\Local\Temp\6C5F6433BAE4CBF3DC2D1FD40B716B08.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Y1E5iSZDr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3808
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3828
- - C:\Users\Default User\smss.exe
    "C:\Users\Default User\smss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3216
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4824
    - - C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4744
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4440
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kPncStCbb0.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4168
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkzh3ZFdGZ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3316
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"
        18⤵
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:436
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"
        20⤵
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tV5RM9l7zq.bat"
        22⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat"
        24⤵
        
        PID:5040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:832
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat"
        26⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Y1E5iSZDr.bat

Filesize
158B

MD5
a8fefff6b33eddb57d58c67335cb2543

SHA1
76e11dc5228941dce553da8e270e1ec966609915

SHA256
2ffe99f32a47660e711c0994ccc967dbaca5592341a10568ece606cf7a49453d

SHA512
5c695b96f876d4450de74ad6aa8c19abb7ab73564462cbb33a564421feb7046dcd8ace8680b45b55ef24e716a88a6df373368a1aed05c15cb38303f9e5596ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat

Filesize
158B

MD5
858d0270087d8d0f2c36b48891a797f5

SHA1
2a636c4720e51d31f3a65ce3df6b984448c5b392

SHA256
911f667c5fbdbad2655e16342af1a87a75e9a89eae42c767cf528c8ff969e832

SHA512
6255a11eb3f5413506c39fc955ce0d98ed9abf486616f5f538b7f054faac11219159f9bacffda98d4ed98b64a19ac148dc9b7e9bd1c6241d286149293e6c9e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat

Filesize
158B

MD5
73b2de95d1e020fa509eea93c20e9868

SHA1
2f608980f335146da3927dd270cdf2535cc6ef47

SHA256
98a7e61978f8d00a6909a322090233eb93d0f69798e0e046f8de93a2537978e4

SHA512
e8ca304c1034aea2212fe9ae31edc0eb3b31cff06a3856b1db053b14782669646926037b53040414af2662037fee2aa5461ad88fb333d9ca6bfec8f5ce501d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat

Filesize
158B

MD5
3f7077d753501838e6cfdf19cac32a63

SHA1
674a25b7465d98b43ef84b57c6c2099bc593d79a

SHA256
83d89e056bcaf85287330b83cf3295c5e2214ba4d387a2167c2248d9f7dd452b

SHA512
2f4fe1960b7efd8a6c51fc468db0f220af8c8a1d4c15fb320af588bd2e72d17a3989993149355d4c417dadcd388e307f0a52e9a6b55427822c0c55995cd8bd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat

Filesize
206B

MD5
23aadff0b84070757998fb94a2f13c91

SHA1
d5c844eceab611af3fd4370b1b886c6e22fcb1c0

SHA256
1d4831f8e5767459737c31002361ae3d14823f991fb1cd1cfd462d6c640250d5

SHA512
83be931b4a5a5189e120e1f7188eb8614af37f1ae8a79834439c05f73390888e95a48fe8e73d6fd0516b0a313634a167364e85cf2b7557c3842650fe101b9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtX0d4fx4d.bat

Filesize
206B

MD5
d4a4fc427ec087acc460bc27085f1ba1

SHA1
518b44eafff7e5aa56b2aa074a21bb5c8bdae641

SHA256
52c41c9a8e5c246ea1792437a3c9c82a8a94dc25c0d14d38679ebbe154f1c873

SHA512
ef4987f0cb3537416ff238ce15b1aff0de0ba2002dba3a1cff94f7dfad0503c803dd7c1033155f7193a3714e3660c9ec01f0c22f4ac5540b3915fcbb4f992d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat

Filesize
158B

MD5
2c1de2b239beb41d51a00702939fe699

SHA1
8aed63784620d57bcce49c3ac7e8814d5a734f4e

SHA256
e36a0ccf266f433ba307838ebb81ca72f3a3867eaaffc24f56db016d89548bad

SHA512
bb7067e230cdf47c86e1e25a6636aacece88426fa45feedaaa38bc6836f68973faa3ad677feb2ded14e02404310a20f44526041661a7edd01742ffa8126a94ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkzh3ZFdGZ.bat

Filesize
158B

MD5
f64b6687f24686cd697e542b1275f866

SHA1
2ba0ea30a6a3bc0b22fc360610e0d50a41aff842

SHA256
4ca6caf68fd7f1fe4d599d53b4a06f5e8cbde3fe2da47e2fa3f6d3741ecaecd8

SHA512
7578f97c5d36bacc1a62a632c8093f77083fc5e3f1fcf72399a8567284ccf12f0d5762d550cad5d8b5cf4d8849ddd7903bfba1b42d141132910702d54f4956b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat

Filesize
206B

MD5
e8d22e6562536b2885b48c27f2674a9d

SHA1
307d3e4cafae41c4891d8730ea2627b7b60bef2d

SHA256
c5598056b5da06e20c067709f2e1cffda7f97a9e197bf58f542e169d9c69ada6

SHA512
c6ed1257a2ab67319d6f6344b888e3ea4ec071b2d9e68cad401f6297a28f782782c0e6281adbfab50d0ba02114bdbb439fab96b193905e4c85fd8839865914b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPncStCbb0.bat

Filesize
206B

MD5
8c6736d5321f8da8e8c1d1f8b23bfc4d

SHA1
e494070d6f8d059f4202edab8f06b7a489c2dd27

SHA256
f43e12be80829858ac280f7b8467db9ddae14803d6d396ddb12c053ef19fda64

SHA512
f5b74cc88bde9274339fb2f2f808bc7fa993122b460035b114125372bb9ea1cccc7e5210e138206f59e195474758168310537e14312431e8862bf47e6de65d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tV5RM9l7zq.bat

Filesize
158B

MD5
0b84fc206095d4ccda0189c68dbde53e

SHA1
5cee6520a1070623fd86bbba15e66d3c8e84a227

SHA256
65aae31534db59628db88aea7b9b1410f4cf98b9f454b62b3fe1872d185c13b3

SHA512
3112eb0b9f761a581f5ee336e917fdd11571e3c3a6f3a21b43a007fc9fde692d858f2001fbcf772cac07f93f68cd05a6d35a9fd737ec02ad86696b095a3fbd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat

Filesize
206B

MD5
34a4d69adbc275d69cb099bfc547fff2

SHA1
1fedf2b5c85ea8fc6725057d43b7dd9adcc545e1

SHA256
6e96592f32b3db286deb4dac30dfb9acb730746142ac85aa6b2bd33073b46afb

SHA512
2d08e43d968ebb1efc613911074dddd3b3da21ea63aaff8913c5d917c4299e911a2abccd8a8d2d7daae522935a6c14fa2dd28a6aeb4a8a68b447268bad8a16bb

Download Submit
C:\Windows\ShellExperiences\wininit.exe

Filesize
3.5MB

MD5
6c5f6433bae4cbf3dc2d1fd40b716b08

SHA1
0eba0dd22b3f5053798eba26e027ef7383602774

SHA256
9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

SHA512
f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

Download Submit
memory/744-352-0x000000001F3A0000-0x000000001F549000-memory.dmp

Filesize
1.7MB

Download
memory/1084-380-0x000000001E760000-0x000000001E909000-memory.dmp

Filesize
1.7MB

Download
memory/2012-19-0x00000000028F0000-0x0000000002908000-memory.dmp

Filesize
96KB

Download
memory/2012-23-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/2012-28-0x000000001B430000-0x000000001B442000-memory.dmp

Filesize
72KB

Download
memory/2012-30-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2012-33-0x000000001B470000-0x000000001B486000-memory.dmp

Filesize
88KB

Download
memory/2012-31-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-26-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-35-0x000000001B490000-0x000000001B4A2000-memory.dmp

Filesize
72KB

Download
memory/2012-36-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-37-0x000000001CE00000-0x000000001D328000-memory.dmp

Filesize
5.2MB

Download
memory/2012-40-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-39-0x0000000002920000-0x000000000292E000-memory.dmp

Filesize
56KB

Download
memory/2012-43-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-42-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/2012-45-0x000000001B450000-0x000000001B460000-memory.dmp

Filesize
64KB

Download
memory/2012-47-0x000000001C930000-0x000000001C98A000-memory.dmp

Filesize
360KB

Download
memory/2012-49-0x000000001B460000-0x000000001B46E000-memory.dmp

Filesize
56KB

Download
memory/2012-51-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

Filesize
64KB

Download
memory/2012-53-0x000000001C8D0000-0x000000001C8DE000-memory.dmp

Filesize
56KB

Download
memory/2012-55-0x000000001C900000-0x000000001C918000-memory.dmp

Filesize
96KB

Download
memory/2012-57-0x000000001CBE0000-0x000000001CC2E000-memory.dmp

Filesize
312KB

Download
memory/2012-25-0x00000000028C0000-0x00000000028CE000-memory.dmp

Filesize
56KB

Download
memory/2012-74-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-21-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/2012-0-0x00007FF91EF03000-0x00007FF91EF05000-memory.dmp

Filesize
8KB

Download
memory/2012-17-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/2012-15-0x000000001C880000-0x000000001C8D0000-memory.dmp

Filesize
320KB

Download
memory/2012-14-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-13-0x00000000028D0000-0x00000000028EC000-memory.dmp

Filesize
112KB

Download
memory/2012-11-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2012-8-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-1-0x00000000002B0000-0x0000000000636000-memory.dmp

Filesize
3.5MB

Download
memory/2012-9-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-2-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-7-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-3-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-6-0x0000000002870000-0x0000000002896000-memory.dmp

Filesize
152KB

Download
memory/2012-4-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-324-0x000000001E8E0000-0x000000001EA89000-memory.dmp

Filesize
1.7MB

Download
memory/4596-296-0x000000001E360000-0x000000001E509000-memory.dmp

Filesize
1.7MB

Download
memory/4928-268-0x000000001E660000-0x000000001E809000-memory.dmp

Filesize
1.7MB

Download
memory/5080-408-0x000000001E400000-0x000000001E5A9000-memory.dmp

Filesize
1.7MB

Download