dcrat | 7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

Analysis

max time kernel
144s
max time network
147s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Providerhost_Slayed.exe
Size

5.8MB
MD5

263d0b6713e330af2c42a39ff1418807
SHA1

ee6132238748ec57cd8e8d6c0521570be1866149
SHA256

7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59
SHA512

66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d
SSDEEP

98304:JP7kzuZ1cBGWwT/gIM7aNcYkJ+lTEYHerN79G9yhPH:JzdcBVWC7gc0lrHerfG9QP

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/5860-1-0x00000000003F0000-0x00000000009BA000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000800000002811b-72.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Providerhost_Slayed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 14 IoCs

pid	Process
4956	OfficeClickToRun.exe
2416	OfficeClickToRun.exe
5572	OfficeClickToRun.exe
1612	OfficeClickToRun.exe
3324	OfficeClickToRun.exe
1696	OfficeClickToRun.exe
2956	OfficeClickToRun.exe
384	OfficeClickToRun.exe
2028	OfficeClickToRun.exe
5684	OfficeClickToRun.exe
3976	OfficeClickToRun.exe
652	OfficeClickToRun.exe
5552	OfficeClickToRun.exe
2704	OfficeClickToRun.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\66fc9ff0ee96c2	Providerhost_Slayed.exe
File created	C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe	Providerhost_Slayed.exe
File created	C:\Program Files (x86)\Windows Portable Devices\29c1c3cc0f7685	Providerhost_Slayed.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sihost.exe	Providerhost_Slayed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5788	PING.EXE
4616	PING.EXE
3652	PING.EXE
5088	PING.EXE
5380	PING.EXE
1964	PING.EXE
1628	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	Providerhost_Slayed.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
5788	PING.EXE
4616	PING.EXE
3652	PING.EXE
5088	PING.EXE
5380	PING.EXE
1964	PING.EXE
1628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe
5860	Providerhost_Slayed.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5860	Providerhost_Slayed.exe
Token: SeDebugPrivilege	4956	OfficeClickToRun.exe
Token: SeDebugPrivilege	2416	OfficeClickToRun.exe
Token: SeDebugPrivilege	5572	OfficeClickToRun.exe
Token: SeDebugPrivilege	1612	OfficeClickToRun.exe
Token: SeDebugPrivilege	3324	OfficeClickToRun.exe
Token: SeDebugPrivilege	1696	OfficeClickToRun.exe
Token: SeDebugPrivilege	2956	OfficeClickToRun.exe
Token: SeDebugPrivilege	384	OfficeClickToRun.exe
Token: SeDebugPrivilege	2028	OfficeClickToRun.exe
Token: SeDebugPrivilege	5684	OfficeClickToRun.exe
Token: SeDebugPrivilege	3976	OfficeClickToRun.exe
Token: SeDebugPrivilege	652	OfficeClickToRun.exe
Token: SeDebugPrivilege	5552	OfficeClickToRun.exe
Token: SeDebugPrivilege	2704	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5860 wrote to memory of 5720	5860	Providerhost_Slayed.exe	81
PID 5860 wrote to memory of 5720	5860	Providerhost_Slayed.exe	81
PID 5720 wrote to memory of 2840	5720	cmd.exe	83
PID 5720 wrote to memory of 2840	5720	cmd.exe	83
PID 5720 wrote to memory of 3516	5720	cmd.exe	84
PID 5720 wrote to memory of 3516	5720	cmd.exe	84
PID 5720 wrote to memory of 4956	5720	cmd.exe	89
PID 5720 wrote to memory of 4956	5720	cmd.exe	89
PID 4956 wrote to memory of 1148	4956	OfficeClickToRun.exe	91
PID 4956 wrote to memory of 1148	4956	OfficeClickToRun.exe	91
PID 1148 wrote to memory of 2552	1148	cmd.exe	93
PID 1148 wrote to memory of 2552	1148	cmd.exe	93
PID 1148 wrote to memory of 5788	1148	cmd.exe	94
PID 1148 wrote to memory of 5788	1148	cmd.exe	94
PID 1148 wrote to memory of 2416	1148	cmd.exe	97
PID 1148 wrote to memory of 2416	1148	cmd.exe	97
PID 2416 wrote to memory of 5920	2416	OfficeClickToRun.exe	98
PID 2416 wrote to memory of 5920	2416	OfficeClickToRun.exe	98
PID 5920 wrote to memory of 1892	5920	cmd.exe	100
PID 5920 wrote to memory of 1892	5920	cmd.exe	100
PID 5920 wrote to memory of 1688	5920	cmd.exe	101
PID 5920 wrote to memory of 1688	5920	cmd.exe	101
PID 5920 wrote to memory of 5572	5920	cmd.exe	102
PID 5920 wrote to memory of 5572	5920	cmd.exe	102
PID 5572 wrote to memory of 3844	5572	OfficeClickToRun.exe	103
PID 5572 wrote to memory of 3844	5572	OfficeClickToRun.exe	103
PID 3844 wrote to memory of 1904	3844	cmd.exe	105
PID 3844 wrote to memory of 1904	3844	cmd.exe	105
PID 3844 wrote to memory of 4616	3844	cmd.exe	106
PID 3844 wrote to memory of 4616	3844	cmd.exe	106
PID 3844 wrote to memory of 1612	3844	cmd.exe	108
PID 3844 wrote to memory of 1612	3844	cmd.exe	108
PID 1612 wrote to memory of 3000	1612	OfficeClickToRun.exe	109
PID 1612 wrote to memory of 3000	1612	OfficeClickToRun.exe	109
PID 3000 wrote to memory of 3172	3000	cmd.exe	111
PID 3000 wrote to memory of 3172	3000	cmd.exe	111
PID 3000 wrote to memory of 2824	3000	cmd.exe	112
PID 3000 wrote to memory of 2824	3000	cmd.exe	112
PID 3000 wrote to memory of 3324	3000	cmd.exe	113
PID 3000 wrote to memory of 3324	3000	cmd.exe	113
PID 3324 wrote to memory of 4620	3324	OfficeClickToRun.exe	114
PID 3324 wrote to memory of 4620	3324	OfficeClickToRun.exe	114
PID 4620 wrote to memory of 1464	4620	cmd.exe	116
PID 4620 wrote to memory of 1464	4620	cmd.exe	116
PID 4620 wrote to memory of 5576	4620	cmd.exe	117
PID 4620 wrote to memory of 5576	4620	cmd.exe	117
PID 4620 wrote to memory of 1696	4620	cmd.exe	118
PID 4620 wrote to memory of 1696	4620	cmd.exe	118
PID 1696 wrote to memory of 3604	1696	OfficeClickToRun.exe	119
PID 1696 wrote to memory of 3604	1696	OfficeClickToRun.exe	119
PID 3604 wrote to memory of 2740	3604	cmd.exe	121
PID 3604 wrote to memory of 2740	3604	cmd.exe	121
PID 3604 wrote to memory of 2496	3604	cmd.exe	122
PID 3604 wrote to memory of 2496	3604	cmd.exe	122
PID 3604 wrote to memory of 2956	3604	cmd.exe	123
PID 3604 wrote to memory of 2956	3604	cmd.exe	123
PID 2956 wrote to memory of 4076	2956	OfficeClickToRun.exe	124
PID 2956 wrote to memory of 4076	2956	OfficeClickToRun.exe	124
PID 4076 wrote to memory of 3228	4076	cmd.exe	126
PID 4076 wrote to memory of 3228	4076	cmd.exe	126
PID 4076 wrote to memory of 3652	4076	cmd.exe	127
PID 4076 wrote to memory of 3652	4076	cmd.exe	127
PID 4076 wrote to memory of 384	4076	cmd.exe	128
PID 4076 wrote to memory of 384	4076	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Xzai8ndJ0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5720
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2840
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3516
- - C:\Users\Default\Start Menu\OfficeClickToRun.exe
    "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOZXYTZLgh.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2552
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5788
    - - C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1688
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4616
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2824
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2BGdjLelXV.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5576
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2496
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3652
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat"
        18⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5088
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE5h37GJz6.bat"
        20⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2688
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat"
        22⤵
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1796
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat"
        24⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1160
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YrEnXzY23X.bat"
        26⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5380
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ViC2VcqdKs.bat"
        28⤵
        
        PID:5760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Users\Default\Start Menu\OfficeClickToRun.exe
        
        "C:\Users\Default\Start Menu\OfficeClickToRun.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zhbNlpe3Af.bat"
        30⤵
        
        PID:5748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
340f7d929ebbc3218c7c80bb773799de

SHA1
d6246e1ec0a00c25283d12ca60108f6c8888bb1c

SHA256
818c3b409a489f80f5ebc50338ea66ea8a4d90d3d35c4f41d37861dfdbd3da04

SHA512
083198c6adc0b14dc6cc3ab9235450aa7ca3b49b5342949771d216f6cd2a82187f02665a803e9ad88064797b78aafdd1aac11f8da1442bfabb0ee72454841d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BGdjLelXV.bat

Filesize
224B

MD5
d2b4e574201353b0b4b5a73345a2181b

SHA1
b09f928246ccac50d924ee854fa171d444f7ea85

SHA256
205268610a8d64cc7f317bb84a4daf8b54e28f269e452b576d2283dacfe392e5

SHA512
e76d67fc0f4a474aa26dbeaa46c9245dcd3b8ecc6f43dd952c5a3f4c303b0eaea9f35064c1895909d9a01695408623ca2374ad249042a0b8cbd6a9db40b1f20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat

Filesize
224B

MD5
e15564e5bffb1c191884f75ba61b1f7c

SHA1
b5569b6c6eb72488cd625d992caca8de951779c6

SHA256
c73fdde768a6726528a02053ea98eda78ed54afb6c1389f6e29826295768cf32

SHA512
575d02b21cc4ca7e2ea41c8283147bf5a4e154c98c3149edf46d301f2d33cf2b04c9f9f2255091d1d3dc2d050a1395841c956c1d9c05258f5270904c55b34926

Download Submit
C:\Users\Admin\AppData\Local\Temp\7nxekELsf0.bat

Filesize
176B

MD5
f27799c8ed71d129493ff0e4897d50b4

SHA1
f471abf2cfb296a9fc87da73ed31f219865799d6

SHA256
1874984ea2ed6743186016df1a833f65b69407f94f1062169c598f87e1239260

SHA512
9432015f46f912b767e856576ed0958b5998ea7de5ad6250058ebdc546129ab1dc08a7c59a0754c30f0065ff3bfe28f749e22db4c8c5bb06dd48069c712c6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Xzai8ndJ0.bat

Filesize
224B

MD5
f892dba2af70835c53d78788ece3b409

SHA1
57d4709149078dba9788eecff4d160d1a2b4c612

SHA256
123eaa88bb3dadb94f9f6ecd5305091db6e5873a4816a40feeac1f8fe4b4b2bd

SHA512
25f1b8eae8162f4709381f6c707a03c02c460d1f93fe3cfcaac3db5c1da65284597bfa6790c35e982cd212b44fed09e380e4e96eb88260f93df20f7b9350963d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat

Filesize
176B

MD5
bdd8a666d8199c2eb544b4a5cc541884

SHA1
c55f5233b467f1b706b39291d9b159c1aa490b2a

SHA256
d23f6feca9e3f93633b9d126c26e67af922432a1c3e02651d1f741f225a719c1

SHA512
fff15c693654898853bf7ddceab79061be910a9719997d5ba5f28ed669e14c34f64e45726768588ad383e3daf127846cf9275bf4dc84357b49d811683ee80a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdToEt2qxP.bat

Filesize
224B

MD5
69703323697e25add209b4bf328a5015

SHA1
b86d9651a97caba18b59109b7edfbed13f8c22e3

SHA256
a63dc0090ae2f4e32368cd9b67695c61358b598e1bc94c48aa8b4d47acb284f2

SHA512
c1100f6216c2caf7bb45fdbc3e139fc0b60ba38e0d6b21428428b5e3b5d7fc3651481c21258c1ded0ac5f9acc21f59067fb8300fc0074cb0852d6473591f122d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat

Filesize
176B

MD5
9a76f0879cc3723e5856167c93389b99

SHA1
3a1aa3f34c863e29676ccd89bd36ea6677b289f2

SHA256
f0b0bd5f3a10978e162747c90d972320a698fb80ee1ef83a5fa2f22167173638

SHA512
b73512d8f9d5cfd0a579388b778de59fe1d818013c09da4b90409261a3bef35ec781d8b0cc1663bdbbcea6824899503ab26a19ca5ecaf1d9e83d6a2d64567acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViC2VcqdKs.bat

Filesize
176B

MD5
d2dc5e8577e7a985f1f2f1bada63166b

SHA1
6885c31434884099004b90d4ed2e6907b660e5f1

SHA256
8b0680fb1eb6bee5afcea6d5068dfae9d3b5515e577d0b65b9716cd42eb68097

SHA512
2e11a29eb4dd9cb8ce68af71e6215946797b769a19aa33c79b7672595e93192a6f365ffd1f45ff0513c3bf25418d139fee79685de7ee5a047c0147df78fc22d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOZXYTZLgh.bat

Filesize
176B

MD5
897672616c2e9ca0381a8a60d02f5ed5

SHA1
21e53a81f7fdfc483cd7d9f07f33cdfc3b2e4fe2

SHA256
0c155997f692e2da8e1b5759df3c14b683710c97a4e5a19551cab66e282323f9

SHA512
1937da76b907b16b6cd698530414accfdf444a52906df8a287b449849022c9affa2f7a1b79424b21182f82a903dbc2e2825e7e5eae37453a904de409b9f386be

Download Submit
C:\Users\Admin\AppData\Local\Temp\YrEnXzY23X.bat

Filesize
176B

MD5
c9629f42d15089348383fae4b1399cc8

SHA1
188964cabd5da78b37e5a93517db75a67cfea7ff

SHA256
c4e221c84740f82e0f1db776fcada34560142ac7070bb241f01668e9517115b8

SHA512
8d38b804e2b6ab83c9af4624b8644a5cf27b4a7e4ae7d09f53b6abedfad69cae189b9db79241b5ac7686f9a2c6fd9a7abeb8fdc7e6d3a5d68ef3b8fb708dc1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z63w1kYtFS.bat

Filesize
224B

MD5
5256c01299496a08b6052c8f26fbab6d

SHA1
2a8b077bf55102c65d29ce98f765a8e85ed574b3

SHA256
77f04ac7f5f3440a2fb852fc512ae2590ae004f19edfda5bd5769e0743011a27

SHA512
6b24f15bb3e0efa76195d8eb7e0776230c1539b01867bf4ce49ca1b270e18906cc3072614a7f03ca45cda87187ff778f40e44da567d738a50a9754688cc06794

Download Submit
C:\Users\Admin\AppData\Local\Temp\cE5h37GJz6.bat

Filesize
224B

MD5
8778bfde29bc0314f46ffab6576bb851

SHA1
a288be82a349fdfcd8fa2c9bc75e661020c22111

SHA256
fff6be89f41726d3671ed5594849dc9b1ffa33b5e629bb2940fbb3e3030a4d9a

SHA512
293d1c994e037006f3212d52fab60be9a79d03a733abcd92b212120f8b7c7d21cd46010ddfd97dc71d7cc7a97deec8858d6fac93d2d70d3a5a07dc0b02ab7cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq9fLK5Nyj.bat

Filesize
224B

MD5
27fff06ed9c51912ae26aef82a83c404

SHA1
509c246723cdae28f457265b05c4696cc2231e53

SHA256
96fa88dd85a27f7812dc94243839acd3a10f34ee4230cfbab4af9ff459a9308b

SHA512
56ffbb1f552a6526c059fa4d2270f6d07c83cbc02b2ebc8aae4756641535572a1ee7f2cd4e989bb97fd1143ea9a9e13d0ff729914be58b738ecafe0fb8b6c20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhbNlpe3Af.bat

Filesize
176B

MD5
58c701216c662adf33d62e57aaf4dd13

SHA1
5d38119f94303901fd4cab3abe4fa04ae2057a8d

SHA256
80217a13249bbd7fdc4dcfa9cf071d3eceabb86443804754f01260a36a188d76

SHA512
9ca621fe275d7902a57ca8a66a71271d3556fac3e3fe7c7b81648ac204a8db9a707a99c93f77a405b789f39f9d0b75045d6494e4c8eb0f6da4bd4668952a16d0

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\OfficeClickToRun.exe

Filesize
5.8MB

MD5
263d0b6713e330af2c42a39ff1418807

SHA1
ee6132238748ec57cd8e8d6c0521570be1866149

SHA256
7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

SHA512
66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d

Download Submit
memory/5860-20-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/5860-35-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-29-0x000000001BAE0000-0x000000001BAF6000-memory.dmp

Filesize
88KB

Download
memory/5860-31-0x000000001BB00000-0x000000001BB12000-memory.dmp

Filesize
72KB

Download
memory/5860-34-0x000000001B510000-0x000000001B51E000-memory.dmp

Filesize
56KB

Download
memory/5860-32-0x000000001C050000-0x000000001C578000-memory.dmp

Filesize
5.2MB

Download
memory/5860-37-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/5860-40-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-42-0x000000001BB80000-0x000000001BBDA000-memory.dmp

Filesize
360KB

Download
memory/5860-43-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-45-0x000000001BAD0000-0x000000001BADE000-memory.dmp

Filesize
56KB

Download
memory/5860-39-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

Filesize
64KB

Download
memory/5860-47-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/5860-51-0x000000001BB60000-0x000000001BB78000-memory.dmp

Filesize
96KB

Download
memory/5860-53-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/5860-55-0x000000001BC30000-0x000000001BC7E000-memory.dmp

Filesize
312KB

Download
memory/5860-49-0x000000001BB30000-0x000000001BB3E000-memory.dmp

Filesize
56KB

Download
memory/5860-27-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/5860-23-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-70-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-25-0x000000001B520000-0x000000001B532000-memory.dmp

Filesize
72KB

Download
memory/5860-22-0x0000000002B90000-0x0000000002B9E000-memory.dmp

Filesize
56KB

Download
memory/5860-18-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-0-0x00007FFAE4293000-0x00007FFAE4295000-memory.dmp

Filesize
8KB

Download
memory/5860-17-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/5860-15-0x0000000002BC0000-0x0000000002BD8000-memory.dmp

Filesize
96KB

Download
memory/5860-11-0x000000001BA70000-0x000000001BAC0000-memory.dmp

Filesize
320KB

Download
memory/5860-13-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/5860-8-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-10-0x0000000002BA0000-0x0000000002BBC000-memory.dmp

Filesize
112KB

Download
memory/5860-7-0x0000000001170000-0x000000000117E000-memory.dmp

Filesize
56KB

Download
memory/5860-5-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-4-0x0000000001190000-0x00000000011B6000-memory.dmp

Filesize
152KB

Download
memory/5860-2-0x00007FFAE4290000-0x00007FFAE4D52000-memory.dmp

Filesize
10.8MB

Download
memory/5860-1-0x00000000003F0000-0x00000000009BA000-memory.dmp

Filesize
5.8MB

Download