dcrat | be7dd6132932358d0d3f9f8ec8e6873b33209c1472693794432b436d3054b57d

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NixWare Crck by cvrsxd.exe
Size

7.7MB
MD5

7f15f641a57e45f8df8699d0252c21a8
SHA1

9c43544e6ce38515308e8c332739db4c1e20a1b0
SHA256

35eb19ea69a24e05c25dc6b2adab9251b8fe30e91e8217e271bda0acf750590c
SHA512

3c1d78c6df1bc684dc54690a3ce4bc672b7e9c2ac944b04cef9a6613ee4de8cb28f9e8cdd75b22e99d5261e7d01caad0c11e8de73d2e338c994d8969e50277a9
SSDEEP

196608:q9P9NAfoqdQmRrdA6lsuErSEEJwdF6OrtYPXk0X:+P96f9dQOls+9JOrt8X

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\surrogateagentDllcommon\mshyperruntime.exe	dcrat
C:\surrogateagentDllcommon\mshyperruntime.exe	dcrat
behavioral1/memory/972-150-0x0000000000AE0000-0x0000000000BD6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

INST.exemshyperruntime.exe

pid process

4888 INST.exe
972 mshyperruntime.exe

pid	process
4888	INST.exe
972	mshyperruntime.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INST.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

Processes:

NixWare Crck by cvrsxd.exe

pid process

1360 NixWare Crck by cvrsxd.exe
1360 NixWare Crck by cvrsxd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2316 2956 WerFault.exe

pid	process
1360	NixWare Crck by cvrsxd.exe
1360	NixWare Crck by cvrsxd.exe

pid	pid_target	process	target process
2316	2956	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

Processes:

INST.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings INST.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	INST.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
4376	chrome.exe
4376	chrome.exe
3724	chrome.exe
3724	chrome.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3520 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3724 chrome.exe
3724 chrome.exe
3724 chrome.exe

pid	process
3520	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

mshyperruntime.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	972	mshyperruntime.exe
Token: SeDebugPrivilege	3520	taskmgr.exe
Token: SeSystemProfilePrivilege	3520	taskmgr.exe
Token: SeCreateGlobalPrivilege	3520	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NixWare Crck by cvrsxd.exeNixWare Crck by cvrsxd.execmd.exeINST.exeWScript.execmd.exechrome.exe

description	pid	process	target process
PID 804 wrote to memory of 1360	804	NixWare Crck by cvrsxd.exe	NixWare Crck by cvrsxd.exe
PID 804 wrote to memory of 1360	804	NixWare Crck by cvrsxd.exe	NixWare Crck by cvrsxd.exe
PID 1360 wrote to memory of 1276	1360	NixWare Crck by cvrsxd.exe	cmd.exe
PID 1360 wrote to memory of 1276	1360	NixWare Crck by cvrsxd.exe	cmd.exe
PID 1360 wrote to memory of 1396	1360	NixWare Crck by cvrsxd.exe	cmd.exe
PID 1360 wrote to memory of 1396	1360	NixWare Crck by cvrsxd.exe	cmd.exe
PID 1396 wrote to memory of 4888	1396	cmd.exe	INST.exe
PID 1396 wrote to memory of 4888	1396	cmd.exe	INST.exe
PID 1396 wrote to memory of 4888	1396	cmd.exe	INST.exe
PID 4888 wrote to memory of 4048	4888	INST.exe	WScript.exe
PID 4888 wrote to memory of 4048	4888	INST.exe	WScript.exe
PID 4888 wrote to memory of 4048	4888	INST.exe	WScript.exe
PID 4048 wrote to memory of 4052	4048	WScript.exe	cmd.exe
PID 4048 wrote to memory of 4052	4048	WScript.exe	cmd.exe
PID 4048 wrote to memory of 4052	4048	WScript.exe	cmd.exe
PID 4052 wrote to memory of 972	4052	cmd.exe	mshyperruntime.exe
PID 4052 wrote to memory of 972	4052	cmd.exe	mshyperruntime.exe
PID 3724 wrote to memory of 2564	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2564	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 2016	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 4376	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 4376	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 4936	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 4936	3724	chrome.exe	chrome.exe
PID 3724 wrote to memory of 4936	3724	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\NixWare Crck by cvrsxd.exe
"C:\Users\Admin\AppData\Local\Temp\NixWare Crck by cvrsxd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\NixWare Crck by cvrsxd.exe
"C:\Users\Admin\AppData\Local\Temp\NixWare Crck by cvrsxd.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateagentDllcommon\GZwf4yd4O.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\surrogateagentDllcommon\doa3OCJ4Ks5Oxl00.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\surrogateagentDllcommon\mshyperruntime.exe
"C:\surrogateagentDllcommon\mshyperruntime.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f98f4f50,0x7ff8f98f4f60,0x7ff8f98f4f70
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,3875459072066023157,14982475842821136193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
PID:796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2956 -ip 2956
1⤵
PID:4456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2956 -s 2456
1⤵
- Program crash
PID:2316

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
1.2MB

MD5
de842a46a3ef4aeeb45534e760ee3a63

SHA1
754125f732346f3aea386c02e6d6f893890c0a46

SHA256
531ef84d65eb64e380915db2edef4f5de3b7a1b1a9cdddcceb89f42f3c89019b

SHA512
8310b135ee2696b46e8579c93edf53f9c1f83b39531c314005f8a1c1a291073c5a34a7a9f6d068bed0a79af5f9c492ebeb3b1a272e681b67d03f8a4848d4bdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
1.2MB

MD5
de842a46a3ef4aeeb45534e760ee3a63

SHA1
754125f732346f3aea386c02e6d6f893890c0a46

SHA256
531ef84d65eb64e380915db2edef4f5de3b7a1b1a9cdddcceb89f42f3c89019b

SHA512
8310b135ee2696b46e8579c93edf53f9c1f83b39531c314005f8a1c1a291073c5a34a7a9f6d068bed0a79af5f9c492ebeb3b1a272e681b67d03f8a4848d4bdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\base_library.zip
Filesize
1.7MB

MD5
c6b150f2eca4eec01765bdae9a78e097

SHA1
1eaf2a18863af05d4f8183978ea6ecadd21ed3de

SHA256
b8e074772e3f8203de0e4313ac274de4d4e5b5e847a3fe3dc4171413ea2a4502

SHA512
697cdcd1f23cf67683836cca593df643f3f2d3f139fdbf86bf990bd7c29a6721d8199fbff491cb234d2fb65bcd4f32f07796b8b522b895a52095d17628beb846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\python311.dll
Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8042\python311.dll
Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\surrogateagentDllcommon\GZwf4yd4O.vbe
Filesize
216B

MD5
e6305853275cb0e79237a56c58942a25

SHA1
802aced73f7c73643de8372054b11b1227c5a2ad

SHA256
7a7bfea9714a1105d89b8aef0bb17453543d734c9eb1bea82bff3c11e8440a90

SHA512
245d141b718d1706110021a7cda8290a7f0c8887fe4aaeb88ec73a674587b759608a536124dbf92a42bc222b9281204cb7d7970d2a9874e22b4c5da55ebe2342

Download Submit
C:\surrogateagentDllcommon\doa3OCJ4Ks5Oxl00.bat
Filesize
47B

MD5
cec03773ff5eb99f862e298a72fed66e

SHA1
7a5fff28404e1ca6dec33cafaf86721a2b85a2f4

SHA256
5b8972a608d21ec4a4af6adb9c17bd4f483832751b7406f7af0603c4432cd751

SHA512
8f50f23964f89c9f43e23879472c8bbfb07f937db4866bf2f6b9862ed761c177477bb7bf863917e7f81ee0a4c7ba8186e3d02ff01a54bfd4bc6199eb3c0b8c99

Download Submit
C:\surrogateagentDllcommon\mshyperruntime.exe
Filesize
952KB

MD5
ea336b0c1431e45202e6fbda1dbf9701

SHA1
3e38e2b1e146f5b269df637d30463b80871a0158

SHA256
2c3c37275b96c03707bd355af091cbca3988a97a9b9529264aa9498118893193

SHA512
fd3a68bee0bec43d58803b2875f6309755a938e3aade57d4552cdaae8da2a10bb6693d5b08626f21475939c9f1f488e98d981811d0c900c900f8ab0e9b3ae19b

Download Submit
C:\surrogateagentDllcommon\mshyperruntime.exe
Filesize
952KB

MD5
ea336b0c1431e45202e6fbda1dbf9701

SHA1
3e38e2b1e146f5b269df637d30463b80871a0158

SHA256
2c3c37275b96c03707bd355af091cbca3988a97a9b9529264aa9498118893193

SHA512
fd3a68bee0bec43d58803b2875f6309755a938e3aade57d4552cdaae8da2a10bb6693d5b08626f21475939c9f1f488e98d981811d0c900c900f8ab0e9b3ae19b

Download Submit
\??\pipe\crashpad_3724_MHWYDEHAYSRVUVGQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/972-153-0x00007FF8F85D0000-0x00007FF8F9091000-memory.dmp

Filesize
10.8MB

Download
memory/972-151-0x00007FF8F85D0000-0x00007FF8F9091000-memory.dmp

Filesize
10.8MB

Download
memory/972-147-0x0000000000000000-mapping.dmp

Download
memory/972-150-0x0000000000AE0000-0x0000000000BD6000-memory.dmp

Filesize
984KB

Download
memory/1276-138-0x0000000000000000-mapping.dmp

Download
memory/1360-132-0x0000000000000000-mapping.dmp

Download
memory/1396-139-0x0000000000000000-mapping.dmp

Download
memory/4048-143-0x0000000000000000-mapping.dmp

Download
memory/4052-146-0x0000000000000000-mapping.dmp

Download
memory/4888-140-0x0000000000000000-mapping.dmp

Download