dcrat | 16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nursultan nexgen fix.exe
Size

1.5MB
MD5

a3d07c747770c9a471a44446e46e33d5
SHA1

8340534fb1770bae9660287ddb0496e243efcfe4
SHA256

16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
SHA512

307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
SSDEEP

24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2544	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2544	schtasks.exe	32

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d13-9.dat	dcrat
behavioral1/memory/2720-13-0x00000000003D0000-0x0000000000502000-memory.dmp	dcrat
behavioral1/memory/792-33-0x0000000000B70000-0x0000000000CA2000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2720	Containerruntime.exe
792	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\en-US\dwm.exe	Containerruntime.exe
File created	C:\Program Files\Windows Sidebar\en-US\6cb0b6c459d5d3	Containerruntime.exe
File created	C:\Program Files\Windows Defender\es-ES\6ccacd8608530f	Containerruntime.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe	Containerruntime.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240	Containerruntime.exe
File created	C:\Program Files\Windows Defender\es-ES\Idle.exe	Containerruntime.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	Containerruntime.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	Containerruntime.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\101b941d020240	Containerruntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\taskhost.exe	Containerruntime.exe
File created	C:\Windows\de-DE\b75386f1303e64	Containerruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe
2260	schtasks.exe
1732	schtasks.exe
2684	schtasks.exe
2560	schtasks.exe
1980	schtasks.exe
2228	schtasks.exe
2532	schtasks.exe
2752	schtasks.exe
2340	schtasks.exe
1300	schtasks.exe
2780	schtasks.exe
1800	schtasks.exe
2880	schtasks.exe
2124	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2492	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2720	Containerruntime.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
792	lsm.exe
892	chrome.exe
892	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
792	lsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	Containerruntime.exe
Token: SeDebugPrivilege	792	lsm.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe
Token: SeShutdownPrivilege	892	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2160	2420	nursultan nexgen fix.exe	28
PID 2420 wrote to memory of 2160	2420	nursultan nexgen fix.exe	28
PID 2420 wrote to memory of 2160	2420	nursultan nexgen fix.exe	28
PID 2420 wrote to memory of 2160	2420	nursultan nexgen fix.exe	28
PID 2160 wrote to memory of 2732	2160	WScript.exe	29
PID 2160 wrote to memory of 2732	2160	WScript.exe	29
PID 2160 wrote to memory of 2732	2160	WScript.exe	29
PID 2160 wrote to memory of 2732	2160	WScript.exe	29
PID 2732 wrote to memory of 2720	2732	cmd.exe	31
PID 2732 wrote to memory of 2720	2732	cmd.exe	31
PID 2732 wrote to memory of 2720	2732	cmd.exe	31
PID 2732 wrote to memory of 2720	2732	cmd.exe	31
PID 2720 wrote to memory of 792	2720	Containerruntime.exe	48
PID 2720 wrote to memory of 792	2720	Containerruntime.exe	48
PID 2720 wrote to memory of 792	2720	Containerruntime.exe	48
PID 2732 wrote to memory of 2492	2732	cmd.exe	49
PID 2732 wrote to memory of 2492	2732	cmd.exe	49
PID 2732 wrote to memory of 2492	2732	cmd.exe	49
PID 2732 wrote to memory of 2492	2732	cmd.exe	49
PID 892 wrote to memory of 600	892	chrome.exe	53
PID 892 wrote to memory of 600	892	chrome.exe	53
PID 892 wrote to memory of 600	892	chrome.exe	53
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 1784	892	chrome.exe	54
PID 892 wrote to memory of 2100	892	chrome.exe	55
PID 892 wrote to memory of 2100	892	chrome.exe	55
PID 892 wrote to memory of 2100	892	chrome.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\portagentbrowserweb\Containerruntime.exe
      "C:\portagentbrowserweb\Containerruntime.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Program Files\Microsoft Office\Office14\1033\lsm.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2079758,0x7fef2079768,0x7fef2079778
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2060 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2068 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3396 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1280,i,18323129311058802627,6042625031954728082,131072 /prefetch:8
  2⤵
  PID:1560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
00fc75d2da6ed69de0e43f5b6f9c7162

SHA1
089f85bb30d9692af46b860039e1455609229df6

SHA256
9d91917e8cc935b3128c00b57812b134c7fb501c4ba7ff1d5ed24346d7e50ef6

SHA512
71525a535b44e38aa471396b1a2986410b333c5328aa633506f6ea6cb36c82f6d4dc54ddf33c3f4873638806ba61ab854bdbf68db04eaa9aab6035936eeb730d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat

Filesize
157B

MD5
c8f8a078dace2ff4cb106803c9199643

SHA1
a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

SHA256
1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

SHA512
efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

Download Submit
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe

Filesize
220B

MD5
61a07f2f9e8e9b1f5175b2d60c3e3f18

SHA1
e695b0c2b43c786453bf3f6ae504f0626951d281

SHA256
5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

SHA512
8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

Download Submit
\portagentbrowserweb\Containerruntime.exe

Filesize
1.2MB

MD5
5887a563351ca99247b7e2c448bd9f2e

SHA1
b24695e88143863297535989900bb7521ea86d67

SHA256
e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

SHA512
b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

Download Submit
memory/792-33-0x0000000000B70000-0x0000000000CA2000-memory.dmp

Filesize
1.2MB

Download
memory/2720-13-0x00000000003D0000-0x0000000000502000-memory.dmp

Filesize
1.2MB

Download
memory/2720-16-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2720-15-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2720-14-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download