dcrat | hxxps://drive[.]google[.]com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing

Analysis

max time kernel
527s
max time network
528s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing

Score

10^/10

dcrat credential_access discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000c000000023502-136.dat	dcrat
behavioral1/files/0x0007000000023507-157.dat	dcrat
behavioral1/memory/3212-159-0x0000000000F20000-0x0000000001052000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	cheat cs2 dada.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	bridgeMssvc.exe

Executes dropped EXE 2 IoCs

pid	Process
2624	cheat cs2 dada.exe
3212	bridgeMssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat cs2 dada.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	cheat cs2 dada.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
4768	msedge.exe
4768	msedge.exe
5100	identity_helper.exe
5100	identity_helper.exe
5468	msedge.exe
5468	msedge.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
3212	bridgeMssvc.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5904	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5904	7zFM.exe
Token: 35	5904	7zFM.exe
Token: SeSecurityPrivilege	5904	7zFM.exe
Token: SeDebugPrivilege	3212	bridgeMssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
5904	7zFM.exe
5904	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	cheat cs2 dada.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2284	4768	msedge.exe	84
PID 4768 wrote to memory of 2284	4768	msedge.exe	84
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 4620	4768	msedge.exe	87
PID 4768 wrote to memory of 1020	4768	msedge.exe	88
PID 4768 wrote to memory of 1020	4768	msedge.exe	88
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89
PID 4768 wrote to memory of 2260	4768	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/19YfmqcnVfgEolP6KujOlLM1bxQfgklhW/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8f2946f8,0x7ffd8f294708,0x7ffd8f294718
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14627035829553163062,18306342218973765259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5756

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\cheat cs2 dada.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5904

C:\Users\Admin\Desktop\cheat cs2 dada.exe
"C:\Users\Admin\Desktop\cheat cs2 dada.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Driversvc\tCotpHghVcuBa64RG5zII0GzSadK.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Driversvc\ZjkXiln9O7FJXNp1In5kIyxeOSm.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
  - - C:\Driversvc\bridgeMssvc.exe
      "C:\Driversvc\bridgeMssvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2rMIhTWdha.bat" "
        5⤵
        
        PID:5916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Driversvc\ZjkXiln9O7FJXNp1In5kIyxeOSm.bat

Filesize
30B

MD5
8bf8592d3c1fb245ef64ea325816cdf5

SHA1
7c59b7cbec284498edbfd610f2039e89c0c893cf

SHA256
b79db39d74abea986c1ff94736e73b876608fa745857f84cf7db690ed5cb1b7c

SHA512
f7013c59fe0701014d797cbf76fa36713ae8d6932e8e6b7092b72cbecd40a4a499c801252a6668a4610b92b50fabc05146e5e363d072fb3f923e5c16f5a52da6

Download Submit
C:\Driversvc\bridgeMssvc.exe

Filesize
1.2MB

MD5
d783bb038e0182a84fcccda666cb8ffd

SHA1
b09cea4d1330054f1470f6e4a27f527e26517cb9

SHA256
3c372ae2d251c40056241acdbd77e98550475fcfc7ea1bc491b1288ac141ce9c

SHA512
92e90b0847e1f5d3ca917b1bef5000fecf180d424ed9dbfccc3e02d28acd6b5d2651c35bd3d78a4019d85c6f39041536209c00877733c6cb645c9faba9ed817c

Download Submit
C:\Driversvc\tCotpHghVcuBa64RG5zII0GzSadK.vbe

Filesize
214B

MD5
1906bda2a1c548ebf87e233817862dd5

SHA1
bd64a6e60e632c5d0c8b912c540af6fbf5c5e12e

SHA256
d373dedfedd2093f4cfe7866abf59196edc6295f245a1d490eed8570de0a15f8

SHA512
78a4fd0ccc1f37626cb451a541f2f2d21571749375b398694425675bb30e3e5780516878b0200429b784fbf9ec4fafa9152bdeac8070f11a06b14da87e7c399f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
551f5abcb8256ba8319dbf2eefd90733

SHA1
71ff9529d9dffe26dda149e2d2eb50d6e424277b

SHA256
bb006e1751f5ff9d7eaff5ffa50cad8c1130431ed3429be7d2da1050a279f662

SHA512
faca979ad922089f33ca0f43445a7776eeae26e1f1bb2dfd41d7fa9565a708e9b1b881c966d9e09f65fd178c4240bd9f230f7dd3d008734ccca1248fd4925ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
215e731fc55635393fbf36b5098750c7

SHA1
00e7ffc2496ccaf2eef2595ee6af0a49a7d6ef5a

SHA256
5f9c732d33009161cded5e42cc35091eff29be91a96c854be0f3f532d50ed81f

SHA512
bfd0ddda779fe2c963fa0f7b669caaec1cab1b54b5815624b1e905d0dd158f002af09b0db9cf9e9e07094ca21097bee0fa2523ee562cb28cd40e068105a385b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ebc9c7efbe0c0933af8de2f85e23a445

SHA1
a2149f5a3fde729000f67133dfbab674fa8a76a3

SHA256
3e76f4acfd72ee81a299f7dd2e71155b6e557629d6f65d917770c9f47303bf34

SHA512
16b865ffcd4936a0a4053dbb44b68b56f745a96b87ff093bbd0f6e756f4c3f7f0f7ca0632a222d9da422a4479822c8dac8d0c56cf9260a5d7f46f509c3960032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a4467b24310b7f9bfebb79b0bdd31223

SHA1
9cce5fc70b34ae23c97d151f710021f6f9598f34

SHA256
4e9111c8e47b292d4b1a35e41e8a4264338802d41da2c1d22d77bb07ae7a3ae5

SHA512
3cd8c8afe10f87b93ef3d8386136c5bdc41a9eb740ae02cace4455831a53f9e09a9dec18e6cb007783812a32e2e6e6a9e73d78bc9298045f41d6b02cfecaa81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d99e761883e24a57ba24076e595c516c

SHA1
c1d16225c4914be8664b945675b6a433a867a0d3

SHA256
07f2328ba969bdd0e2f9e30537a13d43693d4dba83fb33648da5286be274c47c

SHA512
7d7916afb6fbcf4f6746535b89abe7cb84e29d4f0a9f6e72fed2880432665e9c0fef1a8b28ee026d895e3663319297827b9d0832f53e7c4ff0bb4e5de07c1964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
431dd3c9c4763743615b513cfeb55311

SHA1
2d748412061527c8af247e984318e7e6b58e6b5f

SHA256
fb752e9d0cd1c635028041dc4d4ff3783fc0d3b3e01555efcb4fb1f19c5d5fda

SHA512
1ffcaa144ec15d4abaa6dc0450621ca3c3fba78de163bf301186be31fe61c60bff9cc9f60cd4fd3b48710243780a9a956d247565bf0ec89febf594cb1dc24264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
96f03bcb0264758de2d5a20d4c89fb19

SHA1
04c33615e869eb16044890c209484f20f8b38a31

SHA256
f9da2342f3d06abadd2b2d800b799e17455177ca0617681b2f64a020fbfd9529

SHA512
3bfaef80c93ccb9afef333f0daa622b4c74f8e88211f35a6adcd634143518b00a268157daf03fc160719a00a6caf9196160164964fe1c98469122ced49f9284c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
45d23c62e1140f0fa229cd45b751c7ea

SHA1
441aff83ecec3626c15f48a05165748a7334e25e

SHA256
b786642787deda2e32198d88b770d70910e135879007e71cae70454db285da9d

SHA512
d586791d4f4ce83ce54cb6bfa88d206e43c2569c0955df11be4bd858d11ae50483d2d769eef8c900b653eeef1e4d9b599f4b5c1a8f5c6cbf7921cd171270e495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
69f695f0a757e628ddf6d9d03c6b1337

SHA1
dc90466efe8548d911bb9ba4c14eca1e7313faff

SHA256
569bf783661c1a18b6db5296b06eceffd9ba2002757f6d5dd46b7d23cc564681

SHA512
1ff5f945de56f1845d36d2a9b0e360e87bc4f214e503d00fee5b2390b74b1dcf8bae9a6c020f00efc7842729167ddf5c1f14e2f93aee2641e4ffb23dd0002287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31495791ec12b6f60ae9f5373e0da9cb

SHA1
3e3c39b281ba78e99a2a90a137b93d1fbaa91b09

SHA256
789f443d05715f0c3864751be09f1e8e540b09638e2086cea21586c7dd59da3f

SHA512
e24e12080e2e64a0fe8694576e9f9c964927875b229161a6d75cbec2c17c060988834e8b508337482a37b2f75dc3ffed5cc3280cba885da6136f31f8a3901feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
811fa6eb06aaf61564b3bcb9e8b11c86

SHA1
0a4fdde668489d1e2c8ad35e114856e434048670

SHA256
eacb4d111f8f71796ae1bac02d24569d2c2da041bee7be713eb50cf7a95aa52c

SHA512
6b3511018e4a842b56ba17e864c91ae89327303fbe1807acedb8f2be3aba67f0f27aba3b1cc17923cca1fd336376275dccf413e856ddcb88fbda94c65812f690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16d0e3ff5770b75dcfe3856db476785a

SHA1
f7b85cf067d10f773f829fb7b172308afe62c156

SHA256
f10cac0a3da25fcf8140443dc69fd7c5fe727bc1c1d03068348948e0f9a710f0

SHA512
0cf456c60b228f610f65d7aa04801f108907d6bf88d022a92c07f2aa32b426242f1fddb81d9c7eec66e8bf034fe790c77c10462b2bbc44a17069f72b6ae4a15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46ff4becd22cf23668b4f68c0369e25b

SHA1
5d7d22f2c1f0d44e37ddb6154e8cbd9da92c9506

SHA256
a54c40d1719a44abbe6885335265299c2b6b48a21b99436e183c657b7f24f90e

SHA512
08c47c5c0e6193db41b9c4d72d9dc065dcdeff06470fad699644e91753980cac282205ed3890c53a75af615d1ee6e4af7e7ea095fe2518de00b43721c8238849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77bc94452fd3a6b096e20162f30aa81d

SHA1
dbcaf7559d29ae76836449662e57aa4427589274

SHA256
09e756e1e8e9d6c0de155fff45637704844e1891112f7b1bddeca566aa84c731

SHA512
2a0bc8285c801b6eb0ff6aea97ad8a4747f47e433502a592c3da9d5bf5fe3c647b639f885f87137afdd86ab25aaf57149314c1c7da6d562e9bbc02f1549a25f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0eea426fd56b00f289f15fa7cdd5bc6a

SHA1
83cc44e3e19ee167aa2f3676cfe9f565113b5043

SHA256
392aa39e65a76993fdeddc644970971d0acf3bb2fc540c0cd41651e89e1d7046

SHA512
739c41edbc60b66348cd4476539aa377d6030c1c172339a0c88c320ee8347d6206a729f3133a8e24ac7b2ea7e268d3af8a2f10cc4d1b6e2474740edb481e1b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2rMIhTWdha.bat

Filesize
197B

MD5
cc4cf9d5659f5f85cd5bb93ca7b77bef

SHA1
c60abfd9cc66e1961eb644c733cfa63cf9350588

SHA256
4ea35e1853b0ed2328798630c154124c95da4681429be4d094be43fee2ade61d

SHA512
b1ee8bcbac0597101c6d485108b600babee5686795c6c2fed96b004892618536f09092a7fb39708403f8f1b9b50478022ba93f66b6db88d4cb7e15c0602084b2

Download Submit
C:\Users\Admin\Desktop\cheat cs2 dada.exe

Filesize
1.5MB

MD5
6d17743cb2865a46175af86f9ce1790d

SHA1
6a77ee0a902a8fae8e33b897a4b1a0f87311e5e1

SHA256
b0e362d326edb35cc56956d1ae89d1955d42f5636a6a986800453091457ed829

SHA512
4dd16baa63c185b16b5bbb4a6c750d8f132308bc3bb290afb188c417d45a3858cbe4301574a6e0141eb0010f30a704594e546b76d2b0fc5e899bcdeb4b3036c1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 936105.crdownload

Filesize
961KB

MD5
d58c25f2179ab20b7cb0052e06c7e5a5

SHA1
f70256a0069da80a00848a1399e2f4e9488901aa

SHA256
83c1a663de4f7afc55c330e093bf6e0387ecd85d1d1c3c55b40eaac5db9bf519

SHA512
48b676e7eb60eca336dcb0229e285f1cd1713ada8112b7e5a12ada95af0bdcc1c1edd62de14bec1af45a28f2263cba692030131883b3a82ad0c06748a349c4ba

Download Submit
memory/3212-163-0x0000000001990000-0x000000000199C000-memory.dmp

Filesize
48KB

Download
memory/3212-162-0x000000001BCB0000-0x000000001BCC6000-memory.dmp

Filesize
88KB

Download
memory/3212-161-0x000000001C390000-0x000000001C3E0000-memory.dmp

Filesize
320KB

Download
memory/3212-160-0x000000001BC90000-0x000000001BCAC000-memory.dmp

Filesize
112KB

Download
memory/3212-159-0x0000000000F20000-0x0000000001052000-memory.dmp

Filesize
1.2MB

Download