dcrat | 7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Providerhost_Slayed.exe
Size

5.8MB
MD5

263d0b6713e330af2c42a39ff1418807
SHA1

ee6132238748ec57cd8e8d6c0521570be1866149
SHA256

7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59
SHA512

66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d
SSDEEP

98304:JP7kzuZ1cBGWwT/gIM7aNcYkJ+lTEYHerN79G9yhPH:JzdcBVWC7gc0lrHerfG9QP

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/4448-1-0x0000000000CB0000-0x000000000127A000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0007000000024286-64.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Providerhost_Slayed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 13 IoCs

pid	Process
4776	explorer.exe
1708	explorer.exe
5276	explorer.exe
5864	explorer.exe
3580	explorer.exe
4864	explorer.exe
3740	explorer.exe
5508	explorer.exe
1560	explorer.exe
5912	explorer.exe
1512	explorer.exe
3428	explorer.exe
3020	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\040C\upfc.exe	Providerhost_Slayed.exe
File created	C:\Windows\INF\MSDTC Bridge 3.0.0.0\040C\ea1d8f6d871115	Providerhost_Slayed.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\wininit.exe	Providerhost_Slayed.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\56085415360792	Providerhost_Slayed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4868	PING.EXE
4740	PING.EXE
1148	PING.EXE
2900	PING.EXE
5892	PING.EXE
5720	PING.EXE
1164	PING.EXE
4784	PING.EXE
4604	PING.EXE
1200	PING.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	Providerhost_Slayed.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	explorer.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
1148	PING.EXE
5892	PING.EXE
1200	PING.EXE
5720	PING.EXE
4740	PING.EXE
4784	PING.EXE
4604	PING.EXE
2900	PING.EXE
4868	PING.EXE
1164	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe
4448	Providerhost_Slayed.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	Providerhost_Slayed.exe
Token: SeDebugPrivilege	4776	explorer.exe
Token: SeDebugPrivilege	1708	explorer.exe
Token: SeDebugPrivilege	5276	explorer.exe
Token: SeDebugPrivilege	5864	explorer.exe
Token: SeDebugPrivilege	3580	explorer.exe
Token: SeDebugPrivilege	4864	explorer.exe
Token: SeDebugPrivilege	3740	explorer.exe
Token: SeDebugPrivilege	5508	explorer.exe
Token: SeDebugPrivilege	1560	explorer.exe
Token: SeDebugPrivilege	5912	explorer.exe
Token: SeDebugPrivilege	1512	explorer.exe
Token: SeDebugPrivilege	3428	explorer.exe
Token: SeDebugPrivilege	3020	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4724	4448	Providerhost_Slayed.exe	91
PID 4448 wrote to memory of 4724	4448	Providerhost_Slayed.exe	91
PID 4724 wrote to memory of 4872	4724	cmd.exe	93
PID 4724 wrote to memory of 4872	4724	cmd.exe	93
PID 4724 wrote to memory of 4784	4724	cmd.exe	94
PID 4724 wrote to memory of 4784	4724	cmd.exe	94
PID 4724 wrote to memory of 4776	4724	cmd.exe	102
PID 4724 wrote to memory of 4776	4724	cmd.exe	102
PID 4776 wrote to memory of 1928	4776	explorer.exe	103
PID 4776 wrote to memory of 1928	4776	explorer.exe	103
PID 1928 wrote to memory of 556	1928	cmd.exe	105
PID 1928 wrote to memory of 556	1928	cmd.exe	105
PID 1928 wrote to memory of 628	1928	cmd.exe	106
PID 1928 wrote to memory of 628	1928	cmd.exe	106
PID 1928 wrote to memory of 1708	1928	cmd.exe	107
PID 1928 wrote to memory of 1708	1928	cmd.exe	107
PID 1708 wrote to memory of 4224	1708	explorer.exe	108
PID 1708 wrote to memory of 4224	1708	explorer.exe	108
PID 4224 wrote to memory of 4280	4224	cmd.exe	110
PID 4224 wrote to memory of 4280	4224	cmd.exe	110
PID 4224 wrote to memory of 1148	4224	cmd.exe	111
PID 4224 wrote to memory of 1148	4224	cmd.exe	111
PID 4224 wrote to memory of 5276	4224	cmd.exe	113
PID 4224 wrote to memory of 5276	4224	cmd.exe	113
PID 5276 wrote to memory of 2904	5276	explorer.exe	114
PID 5276 wrote to memory of 2904	5276	explorer.exe	114
PID 2904 wrote to memory of 5488	2904	cmd.exe	116
PID 2904 wrote to memory of 5488	2904	cmd.exe	116
PID 2904 wrote to memory of 3352	2904	cmd.exe	117
PID 2904 wrote to memory of 3352	2904	cmd.exe	117
PID 2904 wrote to memory of 5864	2904	cmd.exe	120
PID 2904 wrote to memory of 5864	2904	cmd.exe	120
PID 5864 wrote to memory of 2996	5864	explorer.exe	121
PID 5864 wrote to memory of 2996	5864	explorer.exe	121
PID 2996 wrote to memory of 4624	2996	cmd.exe	123
PID 2996 wrote to memory of 4624	2996	cmd.exe	123
PID 2996 wrote to memory of 4604	2996	cmd.exe	124
PID 2996 wrote to memory of 4604	2996	cmd.exe	124
PID 2996 wrote to memory of 3580	2996	cmd.exe	127
PID 2996 wrote to memory of 3580	2996	cmd.exe	127
PID 3580 wrote to memory of 4708	3580	explorer.exe	128
PID 3580 wrote to memory of 4708	3580	explorer.exe	128
PID 4708 wrote to memory of 4088	4708	cmd.exe	130
PID 4708 wrote to memory of 4088	4708	cmd.exe	130
PID 4708 wrote to memory of 2900	4708	cmd.exe	131
PID 4708 wrote to memory of 2900	4708	cmd.exe	131
PID 4708 wrote to memory of 4864	4708	cmd.exe	132
PID 4708 wrote to memory of 4864	4708	cmd.exe	132
PID 4864 wrote to memory of 2956	4864	explorer.exe	133
PID 4864 wrote to memory of 2956	4864	explorer.exe	133
PID 2956 wrote to memory of 3212	2956	cmd.exe	135
PID 2956 wrote to memory of 3212	2956	cmd.exe	135
PID 2956 wrote to memory of 6064	2956	cmd.exe	136
PID 2956 wrote to memory of 6064	2956	cmd.exe	136
PID 2956 wrote to memory of 3740	2956	cmd.exe	140
PID 2956 wrote to memory of 3740	2956	cmd.exe	140
PID 3740 wrote to memory of 1204	3740	explorer.exe	141
PID 3740 wrote to memory of 1204	3740	explorer.exe	141
PID 1204 wrote to memory of 5820	1204	cmd.exe	143
PID 1204 wrote to memory of 5820	1204	cmd.exe	143
PID 1204 wrote to memory of 5892	1204	cmd.exe	144
PID 1204 wrote to memory of 5892	1204	cmd.exe	144
PID 1204 wrote to memory of 5508	1204	cmd.exe	146
PID 1204 wrote to memory of 5508	1204	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MrLGgKfE4B.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4872
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4784
- - C:\2b5f15c5afe01f70d7f71092\explorer.exe
    "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9phEQOv8NZ.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:556
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:628
    - - C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3D0DQVE0G5.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1148
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QZnykySc6r.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3352
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lSuT6vhWYn.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\re37XjgnVO.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:6064
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5892
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4SpLuGErS0.bat"
        18⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat"
        20⤵
        
        PID:5456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3384
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\89KjNYDQ1l.bat"
        22⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5720
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat"
        24⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat"
        26⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4740
        
        C:\2b5f15c5afe01f70d7f71092\explorer.exe
        
        "C:\2b5f15c5afe01f70d7f71092\explorer.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3D0DQVE0G5.bat"
        28⤵
        
        PID:5744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:6136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\Idle.exe

Filesize
5.8MB

MD5
263d0b6713e330af2c42a39ff1418807

SHA1
ee6132238748ec57cd8e8d6c0521570be1866149

SHA256
7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

SHA512
66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D0DQVE0G5.bat

Filesize
168B

MD5
ad35e2a708d97d2964e55ea4e3fc1a06

SHA1
46c9cc88a0a2ba8829e69349d4ac6781868f0b87

SHA256
ed9d5f0f175b345728d7589b82c23a23371b8baa6fbe17aacf92b1f889fce7ce

SHA512
1f0b652904451a6ddc52283ef54c56c805ee51b46a83de5e41fe18510ea79db825f9c7966a75ce39545b3513683875dbbd56f6be4fb97c184fdcac3c08115ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4SpLuGErS0.bat

Filesize
168B

MD5
7c6ee28f03c9baf62c642374ce13956a

SHA1
227a90ac239cbed2c4fed37397614ab828920ab5

SHA256
a3377bd27e1c674f0b7e0a5665e5dde4d563bfbf2df7ce795187be07ed7ffebc

SHA512
8393531ed6ad7a7f9e4d65de9df381e6b446444b974f3969b9369eb46a39a6c65c05b9fcec7427b95c2f676cbfdf0103170a4699eb809166cd31646b4e350f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat

Filesize
216B

MD5
8e8191e7115e2943597a5ded1d90c505

SHA1
a928eade7f17c6103abb26e9380c533f388f3b23

SHA256
ae9241f25c4b8ada9bc3cb3b4f77eec37ecc4cf532fe4e6c40125f3ad770e998

SHA512
f2a002f285eb4bcc112242da2e3d44b5e2ae87e14c9b8528cb6bbe314a1277b46532009ef2a570049f71490aa558eb9ae229133db132d75bc3f3543b5f8586c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\89KjNYDQ1l.bat

Filesize
168B

MD5
c4719acbc662f02161ddc6f85276e870

SHA1
b25759f4eac5658965516064dd6025e18325993a

SHA256
5c91393592fbabcc3516eeac5a08fa54c0b7272a708dc6f65857de6e8223c343

SHA512
f14f15c6327d59a3216fb3cb75914e1efa9a9b88af09ccb6b6cbe1df8c57b4bba2091da407cdbcbcd1ea184e16c7560a008f489d27c7dcc28712279596ab42d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat

Filesize
168B

MD5
616ff1e17586f1fe3c35d3534efe0579

SHA1
5bc7e2ec529af317a05d80bececca2885aae4201

SHA256
f36c0a1dc0f7df89ba420857f98a8415ae504d4fc970653f86a8196be5fa02cd

SHA512
92eccb79e0cfb8f75161face062be4fc6959e26f54a87a60f8b1b8c4a4ad5d4dabe0a0225f5e2d65ab9bcb1f6ab3ec1e2341d14a4d33f2d4eee666be8f54768d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9phEQOv8NZ.bat

Filesize
216B

MD5
5912eb30c9555ef1efb3102bb58f029f

SHA1
1644f23c8b246ac27e0cf639d87e841d7cc5e218

SHA256
3705e0e0584ff400c07d707431c53e3f3f8268213751fafeb42cf28eecdbff45

SHA512
fedfcdf355c9fa13e199e2dba647aa37e2b333725869a8090f4b1b8a40158ea7e897a8d1b41c1da5ea064662bcee2205372d35b7b6c6befc2a3f018254311490

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrLGgKfE4B.bat

Filesize
168B

MD5
e408fef14e0890d2a72819c9b740fe7d

SHA1
55fd0b5f067a7d171a32f4b8ee7cb22fb2783e09

SHA256
574fe4d889dd096b2774fcf5d7bdb734eadc60358f47b3fa4a675527d19878fd

SHA512
9f15d7b0027a814308cb0d5e301a014f78bcb10de3983abb5132bf0568a3762663ad76a47ec1f0456a2600e0ff250a8fc71f3911500f5bda4fcc9b76601d77be

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZnykySc6r.bat

Filesize
216B

MD5
157dd6418d90b477f6d7b6227438fcdd

SHA1
6202538c3f5b4eae2742eca5d5265f9f5230e4ec

SHA256
0e4b079b37505ddc78fbba68e8b70876a30e5f211b6038daa7f4409672af2253

SHA512
c22848db8db0c239889fe1827992a1be5a3bcb55149b3a3c4a933d67a0909f45ac9b3c68e148e1a0623685e24486cedfefb87f07bc4f7d63443a37f336e3fa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat

Filesize
168B

MD5
473d82b22366f80a0b8a1e06ac7d6b53

SHA1
5c51f74c05df49be14f69701e2b65314ecd659a5

SHA256
7f2c450e95b6856614ad018608a5b9eebe753119393dd9738573de522f47d755

SHA512
d85dabc445080e9abed315b021e6735b2e4572b54acff1ee032ab9749d4370da9c87bc03fd471e9c48a0d2737f00a4f0dff65820830e7651c4447ed33a46971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSuT6vhWYn.bat

Filesize
168B

MD5
8351ac3760e0c5bb26728ab4d7868a95

SHA1
a4e8f11c4442516fe442953404d28c0344f47931

SHA256
aa0730ed080950e41a4bb5bc4156ca92696ef2ed4cbc4326056b3dd5288a19b8

SHA512
a81eded8f57dabd37db687df783d7c16cf0a1ca7b2782e7fa098315686457ce068bf2db4ed0c5653c858e43e97aac8bc7e05c582e8c7f254a6bc94229bb3f075

Download Submit
C:\Users\Admin\AppData\Local\Temp\re37XjgnVO.bat

Filesize
168B

MD5
e33a241eca28e6d733179a1207e44a6b

SHA1
a62c1c2821562694953ce49cfa3ee01c3f1a9f87

SHA256
df1fed55cae3d4c48accc81924aa8657a54a5b8d681a0b9ea597490da370db37

SHA512
b04a066e19989a9280fdbfb06c07f98721e7360dcfa127259fce91ec711c164773e4e44ed5b440f8a607307bf7a2c2723aa6438e39e14d1dfd9d748f20610f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat

Filesize
168B

MD5
b7a39681d95042984688211f782bdd2d

SHA1
7daeb5b7fd0447fbd8c2813ee0b7b959a33650c4

SHA256
d5ca2124438a6f019205d2220b06b2473ab3765b5fc1d1a61c2026856925658c

SHA512
1e43d4e6f6cd23ea0199739a51122626f3eb22e31655b80edb9e0f83744659d7b9d7643782b674313bb8f5a59ac93f929697debae9a4cff5ff5d9d2077f271a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zq8KtNWkLV.bat

Filesize
216B

MD5
ab60cf89d70bc5d1816fef07b34e66a9

SHA1
7acb56f077237bf3bc0bfae382f133d3a4b77ffa

SHA256
0d5e644c9da1bb36e93fe42993ef0d5401bd2487894d3d85a0f104a85b2bb3ed

SHA512
c507c17e58e805c94c6da2c66d7f0919f123a6b0881338bee7afeaa7961a083b88ffb76ba83fd6e1a1e2621537da902444fbe65e3540e24c664325175c5d5628

Download Submit
memory/4448-18-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-52-0x000000001C400000-0x000000001C40C000-memory.dmp

Filesize
48KB

Download
memory/4448-28-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-27-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/4448-30-0x000000001C390000-0x000000001C3A6000-memory.dmp

Filesize
88KB

Download
memory/4448-33-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

Filesize
72KB

Download
memory/4448-31-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-34-0x000000001C900000-0x000000001CE28000-memory.dmp

Filesize
5.2MB

Download
memory/4448-36-0x0000000003610000-0x000000000361E000-memory.dmp

Filesize
56KB

Download
memory/4448-38-0x000000001C370000-0x000000001C380000-memory.dmp

Filesize
64KB

Download
memory/4448-40-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/4448-42-0x000000001C430000-0x000000001C48A000-memory.dmp

Filesize
360KB

Download
memory/4448-44-0x000000001C3D0000-0x000000001C3DE000-memory.dmp

Filesize
56KB

Download
memory/4448-46-0x000000001C3E0000-0x000000001C3F0000-memory.dmp

Filesize
64KB

Download
memory/4448-48-0x000000001C3F0000-0x000000001C3FE000-memory.dmp

Filesize
56KB

Download
memory/4448-50-0x000000001C490000-0x000000001C4A8000-memory.dmp

Filesize
96KB

Download
memory/4448-54-0x000000001C500000-0x000000001C54E000-memory.dmp

Filesize
312KB

Download
memory/4448-25-0x0000000003630000-0x0000000003642000-memory.dmp

Filesize
72KB

Download
memory/4448-23-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-22-0x00000000035F0000-0x00000000035FE000-memory.dmp

Filesize
56KB

Download
memory/4448-71-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-20-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/4448-0-0x00007FFA3E893000-0x00007FFA3E895000-memory.dmp

Filesize
8KB

Download
memory/4448-17-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/4448-15-0x0000000003590000-0x00000000035A8000-memory.dmp

Filesize
96KB

Download
memory/4448-10-0x000000001C320000-0x000000001C370000-memory.dmp

Filesize
320KB

Download
memory/4448-11-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-13-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/4448-7-0x00000000033D0000-0x00000000033DE000-memory.dmp

Filesize
56KB

Download
memory/4448-9-0x0000000003450000-0x000000000346C000-memory.dmp

Filesize
112KB

Download
memory/4448-5-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-4-0x0000000003420000-0x0000000003446000-memory.dmp

Filesize
152KB

Download
memory/4448-2-0x00007FFA3E890000-0x00007FFA3F351000-memory.dmp

Filesize
10.8MB

Download
memory/4448-1-0x0000000000CB0000-0x000000000127A000-memory.dmp

Filesize
5.8MB

Download