dcrat | 7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Providerhost_Slayed.exe
Size

5.8MB
MD5

263d0b6713e330af2c42a39ff1418807
SHA1

ee6132238748ec57cd8e8d6c0521570be1866149
SHA256

7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59
SHA512

66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d
SSDEEP

98304:JP7kzuZ1cBGWwT/gIM7aNcYkJ+lTEYHerN79G9yhPH:JzdcBVWC7gc0lrHerfG9QP

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral3/memory/396-1-0x0000000000350000-0x000000000091A000-memory.dmp	family_dcrat_v2
behavioral3/files/0x001900000002b23c-65.dat	family_dcrat_v2

Executes dropped EXE 15 IoCs

pid	Process
5032	smss.exe
4388	smss.exe
5012	smss.exe
5988	smss.exe
2428	smss.exe
5632	smss.exe
1844	smss.exe
4688	smss.exe
2080	smss.exe
332	smss.exe
5076	smss.exe
3456	smss.exe
2956	smss.exe
3932	smss.exe
4040	smss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	Providerhost_Slayed.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\sppsvc.exe	Providerhost_Slayed.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\0a1fd5f707cd16	Providerhost_Slayed.exe
File created	C:\Program Files\Uninstall Information\services.exe	Providerhost_Slayed.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\spoolsv.exe	Providerhost_Slayed.exe
File opened for modification	C:\Windows\IdentityCRL\production\spoolsv.exe	Providerhost_Slayed.exe
File created	C:\Windows\IdentityCRL\production\f3b6ecef712a24	Providerhost_Slayed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4744	PING.EXE
3292	PING.EXE
984	PING.EXE
3952	PING.EXE
2892	PING.EXE
1560	PING.EXE
6096	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	Providerhost_Slayed.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	smss.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4744	PING.EXE
3292	PING.EXE
984	PING.EXE
3952	PING.EXE
2892	PING.EXE
1560	PING.EXE
6096	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe
396	Providerhost_Slayed.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	Providerhost_Slayed.exe
Token: SeDebugPrivilege	5032	smss.exe
Token: SeDebugPrivilege	4388	smss.exe
Token: SeDebugPrivilege	5012	smss.exe
Token: SeDebugPrivilege	5988	smss.exe
Token: SeDebugPrivilege	2428	smss.exe
Token: SeDebugPrivilege	5632	smss.exe
Token: SeDebugPrivilege	1844	smss.exe
Token: SeDebugPrivilege	4688	smss.exe
Token: SeDebugPrivilege	2080	smss.exe
Token: SeDebugPrivilege	332	smss.exe
Token: SeDebugPrivilege	5076	smss.exe
Token: SeDebugPrivilege	3456	smss.exe
Token: SeDebugPrivilege	2956	smss.exe
Token: SeDebugPrivilege	3932	smss.exe
Token: SeDebugPrivilege	4040	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1512	396	Providerhost_Slayed.exe	79
PID 396 wrote to memory of 1512	396	Providerhost_Slayed.exe	79
PID 1512 wrote to memory of 4956	1512	cmd.exe	81
PID 1512 wrote to memory of 4956	1512	cmd.exe	81
PID 1512 wrote to memory of 4928	1512	cmd.exe	82
PID 1512 wrote to memory of 4928	1512	cmd.exe	82
PID 1512 wrote to memory of 5032	1512	cmd.exe	83
PID 1512 wrote to memory of 5032	1512	cmd.exe	83
PID 5032 wrote to memory of 2100	5032	smss.exe	85
PID 5032 wrote to memory of 2100	5032	smss.exe	85
PID 2100 wrote to memory of 2396	2100	cmd.exe	87
PID 2100 wrote to memory of 2396	2100	cmd.exe	87
PID 2100 wrote to memory of 4620	2100	cmd.exe	88
PID 2100 wrote to memory of 4620	2100	cmd.exe	88
PID 2100 wrote to memory of 4388	2100	cmd.exe	89
PID 2100 wrote to memory of 4388	2100	cmd.exe	89
PID 4388 wrote to memory of 4932	4388	smss.exe	90
PID 4388 wrote to memory of 4932	4388	smss.exe	90
PID 4932 wrote to memory of 5116	4932	cmd.exe	92
PID 4932 wrote to memory of 5116	4932	cmd.exe	92
PID 4932 wrote to memory of 5412	4932	cmd.exe	93
PID 4932 wrote to memory of 5412	4932	cmd.exe	93
PID 4932 wrote to memory of 5012	4932	cmd.exe	94
PID 4932 wrote to memory of 5012	4932	cmd.exe	94
PID 5012 wrote to memory of 5356	5012	smss.exe	95
PID 5012 wrote to memory of 5356	5012	smss.exe	95
PID 5356 wrote to memory of 6060	5356	cmd.exe	97
PID 5356 wrote to memory of 6060	5356	cmd.exe	97
PID 5356 wrote to memory of 3952	5356	cmd.exe	98
PID 5356 wrote to memory of 3952	5356	cmd.exe	98
PID 5356 wrote to memory of 5988	5356	cmd.exe	99
PID 5356 wrote to memory of 5988	5356	cmd.exe	99
PID 5988 wrote to memory of 4216	5988	smss.exe	100
PID 5988 wrote to memory of 4216	5988	smss.exe	100
PID 4216 wrote to memory of 5408	4216	cmd.exe	102
PID 4216 wrote to memory of 5408	4216	cmd.exe	102
PID 4216 wrote to memory of 2892	4216	cmd.exe	103
PID 4216 wrote to memory of 2892	4216	cmd.exe	103
PID 4216 wrote to memory of 2428	4216	cmd.exe	104
PID 4216 wrote to memory of 2428	4216	cmd.exe	104
PID 2428 wrote to memory of 2532	2428	smss.exe	105
PID 2428 wrote to memory of 2532	2428	smss.exe	105
PID 2532 wrote to memory of 4436	2532	cmd.exe	107
PID 2532 wrote to memory of 4436	2532	cmd.exe	107
PID 2532 wrote to memory of 920	2532	cmd.exe	108
PID 2532 wrote to memory of 920	2532	cmd.exe	108
PID 2532 wrote to memory of 5632	2532	cmd.exe	109
PID 2532 wrote to memory of 5632	2532	cmd.exe	109
PID 5632 wrote to memory of 1788	5632	smss.exe	110
PID 5632 wrote to memory of 1788	5632	smss.exe	110
PID 1788 wrote to memory of 3268	1788	cmd.exe	112
PID 1788 wrote to memory of 3268	1788	cmd.exe	112
PID 1788 wrote to memory of 6128	1788	cmd.exe	113
PID 1788 wrote to memory of 6128	1788	cmd.exe	113
PID 1788 wrote to memory of 1844	1788	cmd.exe	114
PID 1788 wrote to memory of 1844	1788	cmd.exe	114
PID 1844 wrote to memory of 6052	1844	smss.exe	115
PID 1844 wrote to memory of 6052	1844	smss.exe	115
PID 6052 wrote to memory of 5160	6052	cmd.exe	117
PID 6052 wrote to memory of 5160	6052	cmd.exe	117
PID 6052 wrote to memory of 4708	6052	cmd.exe	118
PID 6052 wrote to memory of 4708	6052	cmd.exe	118
PID 6052 wrote to memory of 4688	6052	cmd.exe	119
PID 6052 wrote to memory of 4688	6052	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\Providerhost_Slayed.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rLDhIwA75f.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4928
- - C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
    "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GxEp7zFCwB.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2396
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4620
    - - C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NS7UfUfsaQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5412
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KfiEaGEkVw.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qwmke0eayG.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:920
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GxEp7zFCwB.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:6128
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:6052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4708
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat"
        18⤵
        
        PID:5176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:428
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat"
        20⤵
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat"
        22⤵
        
        PID:5852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6096
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k9Xkw6Am4N.bat"
        24⤵
        
        PID:4864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat"
        26⤵
        
        PID:4100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat"
        28⤵
        
        PID:5864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3428
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m3jNUitKc7.bat"
        30⤵
        
        PID:5828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:984
        
        C:\5d01b42e8bdcf0224f11312b4d07\smss.exe
        
        "C:\5d01b42e8bdcf0224f11312b4d07\smss.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oXOdSEs2zx.bat"
        32⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:5980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5d01b42e8bdcf0224f11312b4d07\smss.exe

Filesize
5.8MB

MD5
263d0b6713e330af2c42a39ff1418807

SHA1
ee6132238748ec57cd8e8d6c0521570be1866149

SHA256
7ffaa6141811c066f72560675b8df9ca32e8a28431489e9fe9dd479c1004fa59

SHA512
66a5b7d6bcc4426c6f188c8d1312d5257a62fd0b098dcc5fa72e1e8cf1d7f5be3e0263ec2faefefa97228ef634228968db22dd8e1dfe1f0a70a6d4bf7d26521d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
8b4a6bb02b91325777293f125faed7ee

SHA1
fa59c9dfb216665abd19431b58ffc769b89e491a

SHA256
6463aebcde84331e5ce480679d9321a06347fb125ba5f7e36a0622bdca9ace2e

SHA512
1f76960e162f775e7407825f4864414e215ae3d57a0316f046548a407a75ee18a2b249131b9e8af32b47c337eeee113f1c70319746aeecbecfe83e0916b46bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat

Filesize
168B

MD5
9fb2b832228caae71687b7a822609941

SHA1
7bb96afd71e026323a3055ef8efbeabeaefedecf

SHA256
e06e6bd5f9cf590a967e4939f36639be49a6f46adc9a22680abc1134fab7ff2f

SHA512
f4062e4da3a61a5a76698da31c90b8aeb8119c65aeb32aa72217e7ddc302eec8da3602c51cbbf9c7e7f107b9e9799dab88187e17153e25ad42af2d2064d54d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

Filesize
216B

MD5
d3720732e6b898232b662a8f4b4736b8

SHA1
65cb0061f797259deaeb8447a3cc2862ea0cd40a

SHA256
4ebe6f986a7db1f4030404d8a7d352c2b0cb763e10284ba857e6f2bd448d0c52

SHA512
d57044853428d4a3ee95185d9828cd9ffd5cfa45c87b725a90dea3f05e0fb4240b6283e8a8dc691aa5b3dc29251da72b6eca3b7605123488ec0d61be770b1e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat

Filesize
168B

MD5
d407bffc21deabb4f947839de1e73a56

SHA1
97d4fe832d8fd41a428dbc196c1511a5103eff5b

SHA256
ffdfe231c6affc07a83842a11c310d12fe7d1130f9b4060726851875f77e6f2b

SHA512
b71ca7fa2bafed86612a52ce1c959373654ecc366027603c5429e1a1a8cc8c711c1cf9a8efc8e1ad5ebfe348bfe3e463737f129e8d5300b0b741ebd718e1bd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxEp7zFCwB.bat

Filesize
216B

MD5
cc492c7792e9eb8797e3a6dc2f4f0d70

SHA1
c45cb569c0266476aefba1ad4f1ed281c1dfc9f3

SHA256
8dbcb30e4bab0fe5e23c276081255b2e9b2cebf2e9e5a03ba1e3be983f8e7287

SHA512
2b2633ef425ad79ac2b70913ca795e035a0be922d3fca7b4865a9a389bf11d2cfc040fd23334cc14f545503f681d32368a811aaf0d1d34cefac38e6b0171e439

Download Submit
C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat

Filesize
168B

MD5
db43ef431a241d5f77516a286f2991e7

SHA1
12d5167d4590c2875d2b0921edd062ea5a0e6a4e

SHA256
2dfb9bbab4a3953f8e328252e8c1faecf6752be7caf4e8d9074f69b93d33fbca

SHA512
9444e6914ced3962cf031cfcf049e85604195f60a6ef2636d83a8b24b6bb94fd7dfc99cb247421b33654adfcde1ef2b8ce702dc12f8b658054033cc865cb79ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfiEaGEkVw.bat

Filesize
168B

MD5
5028fdf7b2c3855678b1a2a430e2b40d

SHA1
f302ee089fd23ae1174566108168411ef640c880

SHA256
71fbbac63b8a74040dfd22fb25428df5e6405cc417a573445b5d6e495c90620d

SHA512
2df89c6ac57b433f77aeaa21ebc19d280eb3ee6f444dd1ba42925a8e8b1d264c15ae111830d90207edcea972a2d9a2b7bc8b77dab44db3014b1001c50684e733

Download Submit
C:\Users\Admin\AppData\Local\Temp\NS7UfUfsaQ.bat

Filesize
216B

MD5
30fc664b1141c7276ec5507fc0e568de

SHA1
dcbbbc9cb97d30a1086fd0f8e5d25614f7b46ee6

SHA256
dd181c428d87061c8f5369427c00ff242308154083a665c040781d770bb63769

SHA512
27ec93bb55bccaa372e8549bb4132c2c519b14ab2d6ea4cc751ee408ef6c57356133e43cb99d153e9ddd187fdcac775516a53383f0a954bdae8fb39351c89f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat

Filesize
216B

MD5
3b34d9372e1e87d8e2fd5ab9313f7917

SHA1
1161d2885e7a7c468139ce4266005752bcf2fca4

SHA256
f7010a6471f5245ffe1c11b7f34f95086efece83ea9f2df372c96f54e2fd3951

SHA512
adf2e984779fc0208e6c17df42438480d0df517a20dcf3317f0d5e2c09d86e830b9e27d0a03c5d26faeccab1f4367ff34c870afe2bf139463992ca897ae29cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat

Filesize
168B

MD5
35a03ff5cf4a3cb5adc51b7a8e7947d2

SHA1
63ebdc94dbba621fcf20975597dc52d12dfc5953

SHA256
01f10ae3383dbb79d11c217d09f55cd36c8cc8122a5367a185895bc96ad4d2e5

SHA512
e6acf568f58f55d27c4832594c9b7dc2632315cd775de057c0186345fe66efaded08414e876a51a7a2dda13e0ac3ac9b7c7a7158c304e511304cc98a7bcba0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwmke0eayG.bat

Filesize
216B

MD5
9b36567986d9d6b2b448293a314c02d0

SHA1
68abc05f62e4c9ef873f2200bad2f85b5675bb81

SHA256
b240844606f3ea1f9ed26acc937f114b2ca46739e7f6fc795fe04b4f8785a3d1

SHA512
50b19788737f7093bcca3083d1a9046841ec5e29d6d5bbb6648ae1334a15e4cf5f19b46939b256d89037637e1fbd69f3cfba9ebc83ad53a3e2f7af8df0f5bd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat

Filesize
216B

MD5
48c201ee478ebf4e45b53dbaef7437e0

SHA1
2d9bb30af90b3cf8cce3f0bef41cca508ff7f3e4

SHA256
e2aa8650dd94c13152c08860f55b87eefff922ad644123dfa65a3f943a5df6ed

SHA512
712c42bf7a00ae68e4634c31a381164e9bfca2eb1555eca8b54277e270456f2396d29cd45972d79dc211ffccd570de1d6a5bc0351e64cd615d1503bb6d4fd456

Download Submit
C:\Users\Admin\AppData\Local\Temp\k9Xkw6Am4N.bat

Filesize
168B

MD5
7e7e85cbfd92317c31d78e98ae3ecdec

SHA1
5076f0a2a958293961709461b5ada05746ccf5c6

SHA256
9dee2e946eb871fa3582ea7d1d301575ad03bf59b478e3f00273bb5fa9f0012f

SHA512
42c77e57354b70c721a911437a206974ba9808a25fb0175286c2b32de96db1af72ff409a7892434c1e9973df775219c9f981111ae80b5fc689558e40728260de

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3jNUitKc7.bat

Filesize
168B

MD5
f7b8a18f52a862ba5faa6bee2ebb60b3

SHA1
8e90fd4e6724a1d9ffb8618d3bb29052e746854a

SHA256
2e34d33de7f9035f7788fb09902e6b4d61a4f0a48e1e5fdab0abeee8d0dcac30

SHA512
47eb3e9fa78ab3f750b0a359c6939b50112ad431746e4c7286ab7eb35d363f5120d990c92a528ecdfe0ceaa6785afc1f247c8861724dd48731d80f304c3edd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\oXOdSEs2zx.bat

Filesize
216B

MD5
d299fdc0b9ed9a6768b102d3f4e02c9c

SHA1
a4ffa54fde63229ce3b37c703c08a76b65a71d09

SHA256
a91eac5543607f10223613f6ca908200cbcbf3ee27600cddcd5ccf6730eac569

SHA512
85e7c0aed91bc89444840977e7daa93d822ccc0239a2f660314592b311b5831380066a4cb04b397de0f85c1999beada4acba06a196c8673e16fd07adc5ac8224

Download Submit
C:\Users\Admin\AppData\Local\Temp\rLDhIwA75f.bat

Filesize
216B

MD5
79bd5894e6d30d05b520375f87b937a6

SHA1
e751440cfe92e88278e6426bcaa6b1fe6e5b7876

SHA256
b314bbb3796befac4cef7614b91d5bad02149a1624845d3f3e6d22ba7b45cf9c

SHA512
e8039b39ed24ebd492c1504df49855e2951dc4d3ec16cdfae6bd490dc909e3b6fdf0a08875c0154842e24584aa03c2903d6facac97fb95ae9a5793b0e7274e91

Download Submit
memory/396-24-0x000000001B570000-0x000000001B582000-memory.dmp

Filesize
72KB

Download
memory/396-27-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-31-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

Filesize
72KB

Download
memory/396-32-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-35-0x000000001B4F0000-0x000000001B4FE000-memory.dmp

Filesize
56KB

Download
memory/396-41-0x000000001BB50000-0x000000001BBAA000-memory.dmp

Filesize
360KB

Download
memory/396-39-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/396-44-0x000000001BAF0000-0x000000001BAFE000-memory.dmp

Filesize
56KB

Download
memory/396-46-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/396-42-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-37-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/396-49-0x000000001BB10000-0x000000001BB1E000-memory.dmp

Filesize
56KB

Download
memory/396-51-0x000000001BBB0000-0x000000001BBC8000-memory.dmp

Filesize
96KB

Download
memory/396-47-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-33-0x000000001C010000-0x000000001C538000-memory.dmp

Filesize
5.2MB

Download
memory/396-53-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/396-55-0x000000001BC20000-0x000000001BC6E000-memory.dmp

Filesize
312KB

Download
memory/396-29-0x000000001B590000-0x000000001B5A6000-memory.dmp

Filesize
88KB

Download
memory/396-26-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/396-73-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-19-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/396-21-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-0-0x00007FFCE7AF3000-0x00007FFCE7AF5000-memory.dmp

Filesize
8KB

Download
memory/396-22-0x000000001B4D0000-0x000000001B4DE000-memory.dmp

Filesize
56KB

Download
memory/396-14-0x0000000002CA0000-0x0000000002CB8000-memory.dmp

Filesize
96KB

Download
memory/396-17-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/396-15-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-10-0x000000001B520000-0x000000001B570000-memory.dmp

Filesize
320KB

Download
memory/396-12-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/396-9-0x0000000002B30000-0x0000000002B4C000-memory.dmp

Filesize
112KB

Download
memory/396-7-0x0000000001240000-0x000000000124E000-memory.dmp

Filesize
56KB

Download
memory/396-5-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-4-0x0000000002C70000-0x0000000002C96000-memory.dmp

Filesize
152KB

Download
memory/396-2-0x00007FFCE7AF0000-0x00007FFCE85B2000-memory.dmp

Filesize
10.8MB

Download
memory/396-1-0x0000000000350000-0x000000000091A000-memory.dmp

Filesize
5.8MB

Download