dcrat | hxxps://disk[.]yandex[.]ru/d/WO0EaLJqnt5DLw

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/WO0EaLJqnt5DLw

Score

10^/10

dcrat evasion infostealer pyinstaller rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\comServerbrowserruntime\Driverbrokermonitor.exe	dcrat
C:\comServerbrowserruntime\Driverbrokermonitor.exe	dcrat
behavioral2/memory/4964-157-0x0000000000FE0000-0x000000000161C000-memory.dmp	dcrat
behavioral2/memory/4964-158-0x0000000000FE0000-0x000000000161C000-memory.dmp	dcrat
behavioral2/memory/4964-162-0x0000000000FE0000-0x000000000161C000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Driverbrokermonitor.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Driverbrokermonitor.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

CrystalLoader.exeCrystalLoader.exeDriverbrokermonitor.exe

pid process

5876 CrystalLoader.exe
6028 CrystalLoader.exe
4964 Driverbrokermonitor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Driverbrokermonitor.exe

pid	process
5876	CrystalLoader.exe
6028	CrystalLoader.exe
4964	Driverbrokermonitor.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Driverbrokermonitor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Driverbrokermonitor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Driverbrokermonitor.exe

Loads dropped DLL 5 IoCs

Processes:

CrystalLoader.exe

pid process

6028 CrystalLoader.exe
6028 CrystalLoader.exe
6028 CrystalLoader.exe
6028 CrystalLoader.exe
6028 CrystalLoader.exe

pid	process
6028	CrystalLoader.exe
6028	CrystalLoader.exe
6028	CrystalLoader.exe
6028	CrystalLoader.exe
6028	CrystalLoader.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\comServerbrowserruntime\Driverbrokermonitor.exe	themida
C:\comServerbrowserruntime\Driverbrokermonitor.exe	themida
behavioral2/memory/4964-157-0x0000000000FE0000-0x000000000161C000-memory.dmp	themida
behavioral2/memory/4964-158-0x0000000000FE0000-0x000000000161C000-memory.dmp	themida
behavioral2/memory/4964-162-0x0000000000FE0000-0x000000000161C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Driverbrokermonitor.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Driverbrokermonitor.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

296 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Driverbrokermonitor.exe

pid process

4964 Driverbrokermonitor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Driverbrokermonitor.exe

flow	ioc
296	ip-api.com

pid	process
4964	Driverbrokermonitor.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\CrystalLoader.exe	pyinstaller
C:\Users\Admin\Downloads\CrystalLoader.exe	pyinstaller
C:\Users\Admin\Downloads\CrystalLoader.exe	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeDriverbrokermonitor.exechrome.exe

pid	process
4004	chrome.exe
4004	chrome.exe
4656	chrome.exe
4656	chrome.exe
540	chrome.exe
540	chrome.exe
404	chrome.exe
404	chrome.exe
5012	chrome.exe
5012	chrome.exe
1468	chrome.exe
1468	chrome.exe
3940	chrome.exe
3940	chrome.exe
4964	chrome.exe
4964	chrome.exe
5592	chrome.exe
5592	chrome.exe
5904	chrome.exe
5904	chrome.exe
4964	Driverbrokermonitor.exe
4964	Driverbrokermonitor.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4656 chrome.exe
4656 chrome.exe
4656 chrome.exe
4656 chrome.exe
4656 chrome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Driverbrokermonitor.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	4964	Driverbrokermonitor.exe
Token: SeRestorePrivilege	5744	7zG.exe
Token: 35	5744	7zG.exe
Token: SeSecurityPrivilege	5744	7zG.exe
Token: SeSecurityPrivilege	5744	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CrystalLoader.exeCrystalLoader.exe

pid process

5876 CrystalLoader.exe
6028 CrystalLoader.exe

pid	process
5876	CrystalLoader.exe
6028	CrystalLoader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4656 wrote to memory of 4552	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4552	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4560	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4004	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 4004	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe
PID 4656 wrote to memory of 3924	4656	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://disk.yandex.ru/d/WO0EaLJqnt5DLw
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc938f4f50,0x7ffc938f4f60,0x7ffc938f4f70
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:8
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:8
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1104 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
PID:5668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
PID:5660

C:\Users\Admin\Downloads\CrystalLoader.exe
"C:\Users\Admin\Downloads\CrystalLoader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5876

C:\Users\Admin\Downloads\CrystalLoader.exe
"C:\Users\Admin\Downloads\CrystalLoader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\comServerbrowserruntime\Driverbrokermonitor.exe
4⤵
PID:1744

C:\comServerbrowserruntime\Driverbrokermonitor.exe
C:\comServerbrowserruntime\Driverbrokermonitor.exe
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2352 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3290114491786301966,3561973765078433466,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 /prefetch:8
2⤵
PID:5860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\winver.exe
"C:\Windows\System32\winver.exe"
1⤵
PID:664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap28992:356:7zEvent275 -t7z -sae -- "C:\Users\Admin\Desktop\Desktop.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\_bz2.pyd
Filesize
81KB

MD5
183f1289e094220fbb2841918798598f

SHA1
e85072e38ab8ed17c13dd4c65dcf20ef8182672b

SHA256
164f1bf42630b589b50c8f0c6e55aaa8d817e439a00882be036fff3cbe8e6ded

SHA512
a0a5536709b0701c10b91ab1c670de80163689bd95168ea5dc5ebc11b20d84da4c639495779d0317659d6b1ce037daf34764f78759b3f0d785e33b52fa94ffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\_bz2.pyd
Filesize
81KB

MD5
183f1289e094220fbb2841918798598f

SHA1
e85072e38ab8ed17c13dd4c65dcf20ef8182672b

SHA256
164f1bf42630b589b50c8f0c6e55aaa8d817e439a00882be036fff3cbe8e6ded

SHA512
a0a5536709b0701c10b91ab1c670de80163689bd95168ea5dc5ebc11b20d84da4c639495779d0317659d6b1ce037daf34764f78759b3f0d785e33b52fa94ffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\_lzma.pyd
Filesize
154KB

MD5
fd4c7582bee16436bb3f790e1273eb22

SHA1
6d6850b03c5238fff6b53cb85f94eff965fa8992

SHA256
8aa5cd82d775ea718d3ddd270f0b28985d8711ef937447ee2168318200f0eb80

SHA512
c508bea6e1eed5b71b3e78d0817c6fce27152f6bc539fea94c7923183339c1559655b74808ef0403dbc458e037342de97c3b01e06e7b7f56ce152267f8db8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\_lzma.pyd
Filesize
154KB

MD5
fd4c7582bee16436bb3f790e1273eb22

SHA1
6d6850b03c5238fff6b53cb85f94eff965fa8992

SHA256
8aa5cd82d775ea718d3ddd270f0b28985d8711ef937447ee2168318200f0eb80

SHA512
c508bea6e1eed5b71b3e78d0817c6fce27152f6bc539fea94c7923183339c1559655b74808ef0403dbc458e037342de97c3b01e06e7b7f56ce152267f8db8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\base_library.zip
Filesize
1.0MB

MD5
48b0a00c5b196722a038b564019be298

SHA1
7b93d3bd4350a1b8eaadd589991b7267fe678abf

SHA256
33f49ecdb05d3443da7ee750b68e9a947266dd8e05c9b345536aa4b225110161

SHA512
386e8b88a807543b53d451c9af3621c89dd2494daf9f26cbb69b5ad81e82bdfbb351169af658fb8662014c7abffdb380dcede45505674482c2ccab13497c8a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\main.zip
Filesize
3.4MB

MD5
d8a777ed81bead16ad93811fda990be5

SHA1
bf0d8d6cd71b492d1fd5621df47beda1e29fccd7

SHA256
3096afcd3267f5e3e21051ecd5ba2707046d3aab7d1714e0fca7ba5bb932f00f

SHA512
24bd5601c05adb3640c326a6b220a30bfa6a8f08fabdd314d7a5c31de97d85d399ec6f445142c283858f973d90ba9f7cdc6b7f2e63d4738d2a8ceac88432258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\python310.dll
Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\python310.dll
Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\ucrtbase.dll
Filesize
987KB

MD5
341c143dd92867641c412472c8083a8f

SHA1
77f8b3443f51a2690b6ca45292ffe43c0333444b

SHA256
e33d9c8a6a75dbba95c844adbca7e84259a2116aa17f7f27d73c2a58a349e2c8

SHA512
b434525fdb9bcbc91f81e987f950e00b4d01586cc97640eca1296a5d123a7c2f264c68679b45379da3deda7799a6492183a9c970e8806058b23b2a714fd5325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58762\ucrtbase.dll
Filesize
987KB

MD5
341c143dd92867641c412472c8083a8f

SHA1
77f8b3443f51a2690b6ca45292ffe43c0333444b

SHA256
e33d9c8a6a75dbba95c844adbca7e84259a2116aa17f7f27d73c2a58a349e2c8

SHA512
b434525fdb9bcbc91f81e987f950e00b4d01586cc97640eca1296a5d123a7c2f264c68679b45379da3deda7799a6492183a9c970e8806058b23b2a714fd5325a

Download Submit
C:\Users\Admin\Downloads\CrystalLoader.exe
Filesize
9.8MB

MD5
839fd675b39c289bb14ffb4456cfe5ef

SHA1
8f49698d9714cb5513603456617b12d9765ceea4

SHA256
6ca8c062b30d3741fc061fed79a46e76bbc4b3028a22bb9d7fe042b66be94acf

SHA512
ca44397e13aa4b6063a29087fe9fd5bf7d12f59f6644e3201feb7ed79f6c8ed6ac29b1cd5b7547289ff716723be992b7c8d0b6d50d158541462e2064709ce167

Download Submit
C:\Users\Admin\Downloads\CrystalLoader.exe
Filesize
9.8MB

MD5
839fd675b39c289bb14ffb4456cfe5ef

SHA1
8f49698d9714cb5513603456617b12d9765ceea4

SHA256
6ca8c062b30d3741fc061fed79a46e76bbc4b3028a22bb9d7fe042b66be94acf

SHA512
ca44397e13aa4b6063a29087fe9fd5bf7d12f59f6644e3201feb7ed79f6c8ed6ac29b1cd5b7547289ff716723be992b7c8d0b6d50d158541462e2064709ce167

Download Submit
C:\Users\Admin\Downloads\CrystalLoader.exe
Filesize
9.8MB

MD5
839fd675b39c289bb14ffb4456cfe5ef

SHA1
8f49698d9714cb5513603456617b12d9765ceea4

SHA256
6ca8c062b30d3741fc061fed79a46e76bbc4b3028a22bb9d7fe042b66be94acf

SHA512
ca44397e13aa4b6063a29087fe9fd5bf7d12f59f6644e3201feb7ed79f6c8ed6ac29b1cd5b7547289ff716723be992b7c8d0b6d50d158541462e2064709ce167

Download Submit
C:\comServerbrowserruntime\Driverbrokermonitor.exe
Filesize
6.2MB

MD5
1a600e380ba013528392558806ccf3fc

SHA1
77da042c44d79a5cf466ab9829d1e7a1cd303281

SHA256
7f8cc241b6d8061ba958973e67d1b0e52db7c4c6fa79d3f68baa3872bd357e25

SHA512
9c3145556d4c7d948e5bad75da55df6f32dd229c6b6a6937b1e76f35e4d38f9dca8c17d4aed1085f01380872393e3feee7ff2a0e11841b0326785b1678712ce4

Download Submit
C:\comServerbrowserruntime\Driverbrokermonitor.exe
Filesize
6.2MB

MD5
1a600e380ba013528392558806ccf3fc

SHA1
77da042c44d79a5cf466ab9829d1e7a1cd303281

SHA256
7f8cc241b6d8061ba958973e67d1b0e52db7c4c6fa79d3f68baa3872bd357e25

SHA512
9c3145556d4c7d948e5bad75da55df6f32dd229c6b6a6937b1e76f35e4d38f9dca8c17d4aed1085f01380872393e3feee7ff2a0e11841b0326785b1678712ce4

Download Submit
\??\pipe\crashpad_4656_FJUKQLCNIQHSGYWV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1744-151-0x0000000000000000-mapping.dmp

Download
memory/4964-152-0x0000000000000000-mapping.dmp

Download
memory/4964-155-0x0000000000FE0000-0x000000000161C000-memory.dmp

Filesize
6.2MB

Download
memory/4964-157-0x0000000000FE0000-0x000000000161C000-memory.dmp

Filesize
6.2MB

Download
memory/4964-159-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/4964-158-0x0000000000FE0000-0x000000000161C000-memory.dmp

Filesize
6.2MB

Download
memory/4964-160-0x0000000006520000-0x0000000006AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4964-161-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/4964-162-0x0000000000FE0000-0x000000000161C000-memory.dmp

Filesize
6.2MB

Download
memory/4964-163-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/5876-134-0x0000000000000000-mapping.dmp

Download
memory/6028-137-0x0000000000000000-mapping.dmp

Download