Analysis

  • max time kernel
    1749s
  • max time network
    1799s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 18:34

General

  • Target

    chainbrowserSession - Copie.exe

  • Size

    827KB

  • MD5

    dcd1dbdf7c8bfb9263e5dda02b1bfa79

  • SHA1

    0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

  • SHA256

    3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

  • SHA512

    d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

  • SSDEEP

    12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 23 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 34 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe
    "C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9wHWbohcCd.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:956
        • C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
          "C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2864
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:536
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {CA50A649-362A-49FA-9D70-BE734B971FD7} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:268
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\ehome\smss.exe
        C:\Windows\ehome\smss.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Program Files\VideoLAN\VLC\winlogon.exe
        "C:\Program Files\VideoLAN\VLC\winlogon.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
        "C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1032
      • C:\Windows\ja-JP\csrss.exe
        C:\Windows\ja-JP\csrss.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:972
      • C:\Users\Default User\sppsvc.exe
        "C:\Users\Default User\sppsvc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
        C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
      • C:\Users\Admin\Music\services.exe
        C:\Users\Admin\Music\services.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\ehome\smss.exe
        C:\Windows\ehome\smss.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Program Files\VideoLAN\VLC\winlogon.exe
        "C:\Program Files\VideoLAN\VLC\winlogon.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
        "C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:376
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\ja-JP\csrss.exe
        C:\Windows\ja-JP\csrss.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:836
      • C:\Windows\ehome\smss.exe
        C:\Windows\ehome\smss.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Users\Default User\sppsvc.exe
        "C:\Users\Default User\sppsvc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:468
      • C:\Program Files\VideoLAN\VLC\winlogon.exe
        "C:\Program Files\VideoLAN\VLC\winlogon.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:188
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
        C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
        "C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
      • C:\Users\Admin\Music\services.exe
        C:\Users\Admin\Music\services.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
        "C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9wHWbohcCd.bat

      Filesize

      226B

      MD5

      6e4709f06c71fb60bd08754cee36454e

      SHA1

      ca1dc0244cf519b483f3762a133b5cec266d5244

      SHA256

      6d6e7e3b2a5202adb1aaa007f6dc5b40423c9192374d20354f9ea006f7d845cc

      SHA512

      2a09bdea833b9ea0c3df454bfd78f8d14b86c644580eed6f3459eed78abc88b9100dc7e771b2f1ae41dcd5f7890bde789f123ed346acf8ccd79e651bb6e8d207

    • C:\Users\Admin\Music\services.exe

      Filesize

      827KB

      MD5

      dcd1dbdf7c8bfb9263e5dda02b1bfa79

      SHA1

      0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b

      SHA256

      3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

      SHA512

      d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

    • memory/188-85-0x0000000000B90000-0x0000000000C66000-memory.dmp

      Filesize

      856KB

    • memory/268-40-0x0000000000080000-0x0000000000156000-memory.dmp

      Filesize

      856KB

    • memory/836-83-0x0000000000F40000-0x0000000001016000-memory.dmp

      Filesize

      856KB

    • memory/948-35-0x00000000013E0000-0x00000000014B6000-memory.dmp

      Filesize

      856KB

    • memory/972-60-0x0000000000A70000-0x0000000000B46000-memory.dmp

      Filesize

      856KB

    • memory/1032-54-0x00000000010D0000-0x00000000011A6000-memory.dmp

      Filesize

      856KB

    • memory/1532-59-0x00000000011A0000-0x0000000001276000-memory.dmp

      Filesize

      856KB

    • memory/1556-63-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

      Filesize

      856KB

    • memory/1648-76-0x0000000000030000-0x0000000000106000-memory.dmp

      Filesize

      856KB

    • memory/1652-94-0x0000000000EF0000-0x0000000000FC6000-memory.dmp

      Filesize

      856KB

    • memory/1748-75-0x0000000000070000-0x0000000000146000-memory.dmp

      Filesize

      856KB

    • memory/2068-46-0x0000000000850000-0x0000000000926000-memory.dmp

      Filesize

      856KB

    • memory/2088-47-0x0000000001300000-0x00000000013D6000-memory.dmp

      Filesize

      856KB

    • memory/2124-96-0x0000000001070000-0x0000000001146000-memory.dmp

      Filesize

      856KB

    • memory/2236-87-0x00000000009E0000-0x0000000000AB6000-memory.dmp

      Filesize

      856KB

    • memory/2368-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

      Filesize

      4KB

    • memory/2368-2-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

      Filesize

      9.9MB

    • memory/2368-1-0x0000000001010000-0x00000000010E6000-memory.dmp

      Filesize

      856KB

    • memory/2368-32-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

      Filesize

      9.9MB

    • memory/2420-68-0x00000000008D0000-0x00000000009A6000-memory.dmp

      Filesize

      856KB

    • memory/2440-72-0x00000000003B0000-0x0000000000486000-memory.dmp

      Filesize

      856KB

    • memory/2464-91-0x0000000001250000-0x0000000001326000-memory.dmp

      Filesize

      856KB

    • memory/2492-41-0x0000000000280000-0x0000000000356000-memory.dmp

      Filesize

      856KB

    • memory/2776-51-0x0000000000830000-0x0000000000906000-memory.dmp

      Filesize

      856KB

    • memory/2824-69-0x0000000000390000-0x0000000000466000-memory.dmp

      Filesize

      856KB