Analysis

  • max time kernel
    600s
  • max time network
    606s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 16:50

General

  • Target

    Desktop.exe

  • Size

    2.9MB

  • MD5

    870bc89aac12414fb0b2283d58a57ce9

  • SHA1

    2e3a4127668b6ae2db7566853a089f885911fd3c

  • SHA256

    1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2

  • SHA512

    88d064936ae963939c1767663dd5a0807eee1c5e3c0cea48dec48be743b20fd1cdad298e708134683d3a3b2785146637d5206eb014a10be0724eeb0404e8a7c7

  • SSDEEP

    49152:xvY3ShUkwbb96kTTEGjFZ01vkfDpf5YVNFbHKpRvv1BRHoMJKxRFwLfe:xw3MUkinXfjFZKvkf95YtjOVo2wRFZ

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 34 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 39 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
      "C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
        "C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3660
            • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
              "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\odt\spoolsv.exe
                "C:\odt\spoolsv.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:672
    • C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
      "C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 14 /tr "'C:\odt\Sessioncrt.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Sessioncrt" /sc ONLOGON /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 9 /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3508
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1472
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4436
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3056
      • C:\odt\services.exe
        C:\odt\services.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2084
      • C:\Users\Default\Application Data\conhost.exe
        "C:\Users\Default\Application Data\conhost.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
      • C:\Recovery\WindowsRE\csrss.exe
        C:\Recovery\WindowsRE\csrss.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3400
      • C:\Program Files\Windows Photo Viewer\msedge.exe
        "C:\Program Files\Windows Photo Viewer\msedge.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4024
      • C:\Users\Default\dllhost.exe
        C:\Users\Default\dllhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\odt\spoolsv.exe
        C:\odt\spoolsv.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:1316
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
          1⤵
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:724
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2000
          • C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe
            "C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3104
          • C:\odt\Sessioncrt.exe
            C:\odt\Sessioncrt.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:544

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sessioncrt.exe.log
            Filesize

            1KB

            MD5

            7800fca2323a4130444c572374a030f4

            SHA1

            40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

            SHA256

            29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

            SHA512

            c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
            Filesize

            1KB

            MD5

            baf55b95da4a601229647f25dad12878

            SHA1

            abc16954ebfd213733c4493fc1910164d825cac8

            SHA256

            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

            SHA512

            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

          • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
            Filesize

            2.5MB

            MD5

            83618e903d98ec133601e89c1a0e1702

            SHA1

            0eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b

            SHA256

            3e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a

            SHA512

            15de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb

          • C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
            Filesize

            2.2MB

            MD5

            48e1d67ef1b8e21942e80ef139c49ab5

            SHA1

            f6afc9a69a1f87e4eee7292d24baef715fee9edd

            SHA256

            e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08

            SHA512

            34498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2

          • C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
            Filesize

            758KB

            MD5

            cb1929328dea316fcb34f3486697d16e

            SHA1

            8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

            SHA256

            7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

            SHA512

            90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

          • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat
            Filesize

            48B

            MD5

            f96a95d4ab98914fa1240be122d6f93f

            SHA1

            1cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5

            SHA256

            3cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67

            SHA512

            a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179

          • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe
            Filesize

            227B

            MD5

            6412c9c4ee86bb8143388e5616d1b7c2

            SHA1

            9a5ac602a0e3087439260b045c7c590586a6dac1

            SHA256

            ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835

            SHA512

            b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1

          • C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
            Filesize

            1.1MB

            MD5

            251de4b1e1bd67479d61328ad352fd95

            SHA1

            c089659cc5f2a8ccb354cc5f2244910fceabcba8

            SHA256

            507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890

            SHA512

            1f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7

          • memory/1828-51-0x000000001B990000-0x000000001B99A000-memory.dmp
            Filesize

            40KB

          • memory/1828-47-0x0000000000720000-0x000000000084C000-memory.dmp
            Filesize

            1.2MB

          • memory/1828-48-0x00000000027E0000-0x00000000027FC000-memory.dmp
            Filesize

            112KB

          • memory/1828-49-0x000000001BB10000-0x000000001BB60000-memory.dmp
            Filesize

            320KB

          • memory/1828-50-0x00000000027C0000-0x00000000027D0000-memory.dmp
            Filesize

            64KB

          • memory/1828-52-0x000000001B9A0000-0x000000001B9AC000-memory.dmp
            Filesize

            48KB

          • memory/4812-33-0x00007FFA05C70000-0x00007FFA06731000-memory.dmp
            Filesize

            10.8MB

          • memory/4812-98-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmp
            Filesize

            8KB

          • memory/4812-99-0x00007FFA05C70000-0x00007FFA06731000-memory.dmp
            Filesize

            10.8MB

          • memory/4812-24-0x000002210DE00000-0x000002210DEC4000-memory.dmp
            Filesize

            784KB

          • memory/4812-21-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmp
            Filesize

            8KB

          • memory/5004-41-0x0000000000950000-0x0000000000D53000-memory.dmp
            Filesize

            4.0MB

          • memory/5004-32-0x0000000000950000-0x0000000000D53000-memory.dmp
            Filesize

            4.0MB