Analysis

  • max time kernel
    98s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 17:09

General

  • Target

    Dox_tool.exe

  • Size

    1.7MB

  • MD5

    276b2bfee53d4a1bd9b6ea4d2f1b7dda

  • SHA1

    675296357dee37115c193e31fac2de25964f5270

  • SHA256

    d9f6c68201892bafc05114797bcfe7d38d14e0d33604fa2b987cd9fb10b0606f

  • SHA512

    58f68ce2fa13fd24bc9d93439560d55fc1121eb2ed949f4b9cbcf6aaaf9363ed55803f1a3714c1a171c2b9c7311aae23867624ea8e0987f3108f0a14199324c3

  • SSDEEP

    24576:U2G/nvxW3Ww0tlRnL691WiZw7xxf2sOQY6/8YHz4m5LG+sn501TW4l/KXFUO9RZQ:UbA30lBL6e7Xjc4euy4l/KXFU6Ih9

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\Dox_tool.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\webhostDll\fNHZv.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\webhostDll\0290EbjbBDdweKiQhFfH.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\webhostDll\hyperAgent.exe
          "C:\webhostDll\hyperAgent.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X52UoDroZs.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2776
              • C:\Program Files\Uninstall Information\lsass.exe
                "C:\Program Files\Uninstall Information\lsass.exe"
                6⤵
                • Executes dropped EXE
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgent" /sc ONLOGON /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "hyperAgenth" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\hyperAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\de-DE\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\webhostDll\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\webhostDll\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\webhostDll\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2516
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\de-DE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\webhostDll\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\webhostDll\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\webhostDll\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2444
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef529758,0x7feef529768,0x7feef529778
        2⤵
          PID:2908
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:2
          2⤵
            PID:1364
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:8
            2⤵
              PID:1620
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:8
              2⤵
                PID:1764
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:1
                2⤵
                  PID:1352
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:1
                  2⤵
                    PID:2308
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1976 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:2
                    2⤵
                      PID:1296
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:1
                      2⤵
                        PID:1504
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:8
                        2⤵
                          PID:3044
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3868 --field-trial-handle=1392,i,15424303728911430863,13952358159780727022,131072 /prefetch:1
                          2⤵
                            PID:1752
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:568

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                            Filesize

                            211KB

                            MD5

                            151fb811968eaf8efb840908b89dc9d4

                            SHA1

                            7ec811009fd9b0e6d92d12d78b002275f2f1bee1

                            SHA256

                            043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

                            SHA512

                            83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

                            Filesize

                            16B

                            MD5

                            aefd77f47fb84fae5ea194496b44c67a

                            SHA1

                            dcfbb6a5b8d05662c4858664f81693bb7f803b82

                            SHA256

                            4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                            SHA512

                            b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                            Filesize

                            264KB

                            MD5

                            f50f89a0a91564d0b8a211f8921aa7de

                            SHA1

                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                            SHA256

                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                            SHA512

                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            7818f880c854b79de33f3184e210709f

                            SHA1

                            5b578dda5e94f6981dacb1ed693cd81bd5e9297e

                            SHA256

                            91644aaa892e5a72b8ebad7771e180157e67cdd5451741ed46020e4db0fbe4a6

                            SHA512

                            eb4115dd293ae0e0316a7218ed3b9a545ce203accde4b9fb11c8d287fa2d07c03f9e1f1574ab17f4a63232afd0ecfca71f68003f503dcde05d9dcb6223b5c894

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                            Filesize

                            361B

                            MD5

                            623007566ca641bf4893d4e096ac5636

                            SHA1

                            5bd2ddb7b1ca1d859c539f94925eeac0d51039c1

                            SHA256

                            b890148cb710a36bdd91a1a474d017683743004de8a4089720a9a1bd64413ed9

                            SHA512

                            f6a2fb37029c82f26f895822cc26d0f148d9cfa2d07361453b28e0de0f90e66cb234e93d903db27fdfb7b5be13ecc5f4504e58e80570e1cc334bc64136de4bc4

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            ba389e081bf8a073713085d63b51c286

                            SHA1

                            a1fce0898e0df640d5e2611d820acae9f04db555

                            SHA256

                            2024dff6ebf6eeed4cbf19cdeb4df10231781ebbf5e96ab26b15d623a7f1acf2

                            SHA512

                            00052fa635d8facfe68a07e5578c02ba5aadb2c3069b308a6c0f9e50abf3c8cfc6e8c71859a2acfd84b63a7cc80ad4d61b464d78706543c9bd06fa23f4278746

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            c00e15872208a46ebe8f4f2dbc18146f

                            SHA1

                            1e4341a675a818e16ba602a9fe7c8e50b4370568

                            SHA256

                            428c064f7d6b33c45e275b6e602b87aead5fa87f1b31a2abc28867f6ab89f818

                            SHA512

                            75614c807a22d9462102c7089fc79dd77e8ce8facba19a0b728654fbc973af1d648f8d50ff2d8362f51b85108bf0e4e2df700f166aa3351ff0774f638d284f01

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                            Filesize

                            16B

                            MD5

                            18e723571b00fb1694a3bad6c78e4054

                            SHA1

                            afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                            SHA256

                            8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                            SHA512

                            43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                          • C:\Users\Admin\AppData\Local\Temp\X52UoDroZs.bat

                            Filesize

                            213B

                            MD5

                            a450c5e370faf1202ffe2ea5b26962f1

                            SHA1

                            4bcab27793c809291a73420fad0598093b7c63d7

                            SHA256

                            9f2b554faf128f13649f39cf21976178cff85753c66bf3e55ee0e4e3c39da8f1

                            SHA512

                            2a9a2cf2d1ee10b76c0d903050ac73668eba82a608447ff762aae2600ef43f9dbc4777493eb01513de9ca11699eb4bbd716ee0ceca95bd1d3d5f50963af51afc

                          • C:\webhostDll\0290EbjbBDdweKiQhFfH.bat

                            Filesize

                            30B

                            MD5

                            810733c00786845997b0aae47ea1fa35

                            SHA1

                            5397cadacb69da27c8720564529b79c4626f3191

                            SHA256

                            48fa19bdbe1aea2041d907aa0fbd832efca4b1c0f809e594bf35d4f48c2940f5

                            SHA512

                            77f0c9db49bce933c2f7c4293352a0626f2997fa417043e10e50f9b6c40fea5e744eb03e7d8850cbff34c1bf3e05f8c3b3637c632ce0c878bd61b7dfb3f6fe1d

                          • C:\webhostDll\fNHZv.vbe

                            Filesize

                            207B

                            MD5

                            cc0d1e3fc198a8e30655575eb2fc1013

                            SHA1

                            2adc5a011ec323cfedc33b33e9939befa69ae8fc

                            SHA256

                            50505261daaf6ed3d589b87313bd71b4fdc0786a9645ef2c684e2a9e3680cff3

                            SHA512

                            0e4f49fd4cce7ae8594733bc7b492ea5ed1b94aeee9af7f9e170e570c93e50c0cd84d2f350cf612d0fdd7adfdc31fadb8fc039b8ff5d1f92ece227fd124b8416

                          • \??\pipe\crashpad_2852_LQISVNVTWHZROTTN

                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                          • \webhostDll\hyperAgent.exe

                            Filesize

                            1.4MB

                            MD5

                            741ed82d8e221881bfdddfce745bb615

                            SHA1

                            b8c6122c5403419d2558550a46e6f8735117256b

                            SHA256

                            a9c733108faf9fde17095aa2ff04ac2af0c993c7845e964af6e943cd4230e86b

                            SHA512

                            5e9706608893a74405b24c34f9248acf3584a2a09fea1dd64d9a5e9ebc3a6721dafbd4fb2a524a09a76589eadf91bb2510ee37e3678bf9b9f8f417e2b94fda2b

                          • memory/2768-15-0x0000000000150000-0x000000000016C000-memory.dmp

                            Filesize

                            112KB

                          • memory/2768-20-0x00000000003C0000-0x00000000003CC000-memory.dmp

                            Filesize

                            48KB

                          • memory/2768-19-0x00000000003B0000-0x00000000003BA000-memory.dmp

                            Filesize

                            40KB

                          • memory/2768-18-0x00000000003A0000-0x00000000003AE000-memory.dmp

                            Filesize

                            56KB

                          • memory/2768-17-0x0000000000390000-0x00000000003A0000-memory.dmp

                            Filesize

                            64KB

                          • memory/2768-16-0x0000000000170000-0x0000000000186000-memory.dmp

                            Filesize

                            88KB

                          • memory/2768-14-0x0000000000140000-0x000000000014E000-memory.dmp

                            Filesize

                            56KB

                          • memory/2768-13-0x0000000000C30000-0x0000000000DA0000-memory.dmp

                            Filesize

                            1.4MB

                          • memory/2772-62-0x00000000003D0000-0x0000000000540000-memory.dmp

                            Filesize

                            1.4MB