Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25-01-2025 23:33
General
-
Target
https://cdn1337.site
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 2 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn1337.site1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\123.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\123.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2612 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1756,5257920608690154335,9344754597235977798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\2983923.exe"C:\Users\Admin\Downloads\2983923.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iXakbNPcNe.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\ESD\spoolsv.exe"C:\ESD\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\ESD\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ESD\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\ESD\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\ESD\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ESD\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\ESD\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinverW" /sc MINUTE /mo 13 /tr "'C:\ESD\Winver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinverW" /sc MINUTE /mo 13 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Downloads\2983923.exe"C:\Users\Admin\Downloads\2983923.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\2983923.exe"C:\Users\Admin\Downloads\2983923.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\2983923.exe"C:\Users\Admin\Downloads\2983923.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2983923.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Winver.exe"C:\Users\Admin\Desktop\Winver.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5e652dbefdc14989c6c143840598688fc
SHA1f7f8bd9277540b5dfe61608f9cc294677c235d9c
SHA256931f80ee9a44026f30b6f243c4a4b77c344d1c039548ca29028822bc8608f80c
SHA51299bc14f9515b438bb9c530b5785ab45d49ebcae6cd2e6dc8ace02c7adacd34eae576318db901e059092e596b2592334eeaceb675e9f887caa9a1c1cfe55837ed
-
Filesize
1.8MB
MD5d4f263a3feebfe196d5eceb651c9ffb7
SHA1dde163a9747f48004ed85777ced25062b16c62d7
SHA256c91143795474ec192096650cddcacd5d4e0d46b384e8a56dab7ca029ac2a7d43
SHA512f933264ab7fe364946619938a6997566f583f69a8d75698da4ad77833ce9e4514153fc5d54477fd9e19ae12e5b7fe19bdbc2a2c17a51d53f3c632a48635aa967
-
Filesize
70B
MD549df7cd2be033c4b1f2de946daeb968b
SHA13c6fda5eda780f3f7016ebf969697b8f365d06fd
SHA2566a8c02efc7143f4ee54e6e13a10050b525d265e0b5fcad04510eeae61e6561cd
SHA512cc4bb5b8c22a65e4b2c6ffa1dfcaea0a97fd651aa6d39922b461ee33a95fbd3c11246808d416ad16f570a882f4d77bb2cc851421d39f4caf92155e28dc1e5b3b
-
Filesize
1KB
MD51126a1de0a15000f1687b171641ffea6
SHA1dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA5126cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
Filesize
618B
MD5acf6454db2acfa44c3f03a24219cdbf6
SHA1f802e98c5b6e08e34bbd76834d9dc2ce3744f9c1
SHA256a265aef8a46278636ba69b474a1b6238c4e61ae359b4ba3dfa19a4d04a63c551
SHA5129e7f77f7c21d34afa3b5c8be1c789a4ed492de5da8211e4d6eb31429ebd4a0aef50594082fbe03fb35b45b1577849a5679c2b41263923b778c491784dc10cee0
-
Filesize
6KB
MD5260f7222ff511ea30e8d091a04e35d94
SHA1542d6d67924a259a1054ea26bbdae757f24c11df
SHA256082b6e8e72133a4870071306ffb2634772d800940b4bf490fcf7f6a0883f190c
SHA512473dd9913d4c41bf08c07546ea73af47e03a1e728e3bb9e80eeb9a1bb2b0b885560f7b246d5238945f8ad185dd331f0864d6c80e106acc36e78e8a4016f26ce8
-
Filesize
6KB
MD52f146ca506ed438262e0da6afafcb4db
SHA13d670f8fbd8225c22081cc53fd895f1cf0656ced
SHA256b87414024e4ddcc93b73a3932eb56e2873b79b7d41e7a7adc5036728a2a3c022
SHA512ee17cab252bb568a397e8a25a859c3cf7aa1dc1839a4e275cef760e9ce6417c1b91814f24f64df6838e9e715276330ad933b436bd62f8428942afb5142dd36b2
-
Filesize
5KB
MD5527ba84428d2f7bc3e72db24eaa59706
SHA188b76ab9bf79080ebb550eda5cf7b84087b9b981
SHA25636118ef419c47cd69d46490b4db16d7011ea163330a1412be1553b88ec83f707
SHA512505ade965d6359c8f991fe6ee5145e5e17ab28a42fddee3ff1dfd77cd23f9c0c82f7f07dc12ca39599e9c17da46edd714cb6603221e35267e7df7b785a264af1
-
Filesize
6KB
MD5c9b5b72d8df441f24d7201a265a95fe8
SHA130d9c467085ffb179baf13d8363157a04e6d7dd7
SHA256fbdd7fed21a7d024525ab40f5f65eb13ff2e54200e98cdd9d184ff5d8b5a7c90
SHA51248a79a94c4cf7f9f3438048881bfd22df13fde14c201423f416681db260370f89914085718215f4da1e23da4c090a143eaf6a7240b4e1dcd415e87aed9ac8812
-
Filesize
6KB
MD5b42f9909f6a75d19ccd740a5580cf011
SHA1d19bb1ec38c4ace5d41644adc71e12bd37f39b6d
SHA256d3cecd5de8e835cd91582b1de888b6ec52a6a7fcb49dea60d9950f710e4732d6
SHA512f74025cb063d87945de6203034265cec8602828f038e6064cf2d2d22e20195afaeee7a2f0f9415da8ad68af9ec7c28977077bca4c02a5a7d7e27c384df2c1558
-
Filesize
372B
MD5c4547e261bdc736dd8f4e1dbbecd7866
SHA15205c0c621a8616397adac8d02cb569618d822b5
SHA256cd65d10f32ca8000a34ac458b6e2a5b0f8a418e5587bd503d0fa91a5a27f0d00
SHA5124d17375e91faa98b47fe57468f57bf8cebcb8098b261cb98bebda51577c8f3f351e2eb4039deeca1a85f29851c5012c7fa35fae685e33774c9feafac784ca5ad
-
Filesize
372B
MD5561539ad9da0f0cd7000a12f1ab2525a
SHA16333ad1e8b3ce6581a29a532f5927c964ce41112
SHA2565e14ce76ef1ac10e6e96a8d1ac93cb84e34e7f0ae1c0c4f70ec6d02c04ff19a8
SHA512430ec52fa9c2f99798ffa598380bdc3a2253418f9dd2483534628b50f458dd82a9802348e043a97656d2c01b08b1308f1df80a021c71b067217d26179fe08534
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD57187af1d581582986f5f624d475a51f9
SHA1e0df3c8bea7e1e1c42d862a16a0db8545579af27
SHA256e7a614d0f4f20ad8400162bb8f428568b68f1cab65c375c770d653f1fb4ea8f6
SHA512e984faf644adbd1a51c653f55ba9a110b5ce48dee95e8fba64d69696f9017fd1d743ec63daf1fa208b7738df77d95dab3eb7ac003ef2911f1a12f6f0af7b2927
-
Filesize
10KB
MD587a816b6271b440a20f2dc28b6d3887c
SHA108480c51eb0b63c9fac4b09377f1b2b226beb023
SHA256303faaecee08129cb3ce9a0ad653c0c1af9f405236c086d52fe8e5bda309000b
SHA51249971dd54c3b82c3670bb121107b9deb4fc36faaabb33c6aa6dbf35e64cff7c17eadc0054773e062981dfdd61a4865f643ee4e70f1940839938d196c37e2bc07
-
Filesize
10KB
MD5d12596fefdb7cdc291db96c310280df6
SHA1b0555ed105c51a4cb162f5732505b0b6d1160b55
SHA25659e0a3aec640df66baed9255e5be8a8a57584a7a5b3bebcab978269a25424fbe
SHA512218b108d333ca8bdddce55d1915dc5bc218f357265adea6438c181c4db91a90f201c8e4e3a7888f1c90b5084e0b648354b91afa9388d02b20ae55055e217e5b4
-
Filesize
194B
MD574c6143fe6dcad744de37eb9e5f13852
SHA18d30871897b521d3fd143c0b485879b0ca053c08
SHA256107a6cd9db7c01638fecbb8dce7b465c391aa3c494a82b6a80c7fe6ff2b81307
SHA512514583e361f6dd57b736b57e89324dadaeb7b7dd3e6afeb98da9340eace1a497e50962d4ff5c53c6be1a224859885aca2f8981626f2e04e5238c57c04c44b927
-
Filesize
2.1MB
MD5261edf92e8d85c7a9f7151080ea80467
SHA1be7cba5291a89ccaed22bfb092a7651d34a36def
SHA256e21cfe74517aaaad37fd5b4825fa4eb97edc6c8daeb386e0cf562b5901f7fdeb
SHA512bec64fce5dc2a93edf16963236c975409ca4f40c8809e6a16661578d99ff0fd09178c0d7c293211f6da2419342e71e9532f17d6e455a5ef573326c4fa7fb7c8c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
1.8MB
