299f540f9bfc0fe589ceff868b65107e0e8421116bbcff8f859f4b242105281c

Analysis

max time kernel
144s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-09-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Better-CrewLink.exe
Size

120.6MB
MD5

9a64d73c64fc60e96a7cfb3830d96c2f
SHA1

08ef01fd02c510c17f841b6259e7389f252a2c28
SHA256

e7386fa0c4bb0777d7d44799e96963fd346ad831207d090d09410800ef233bcd
SHA512

f032fcb9b643db45cafa44128117ce56964d9beb3e0909f8a3cca775a8eafab178a69daa9832622de35b5a32e2c3542568a980b5fda4d5f40d25240996b17594
SSDEEP

1572864:X1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49zi:qasulbg8yTnbEOzi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

Better-CrewLink.exe

pid process

1320 Better-CrewLink.exe
1320 Better-CrewLink.exe
1320 Better-CrewLink.exe
1320 Better-CrewLink.exe

pid	process
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe

Modifies registry class 1 IoCs

Processes:

Better-CrewLink.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{290D1F3C-8185-4F76-899C-0BB0237575AD}	Better-CrewLink.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Better-CrewLink.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Better-CrewLink.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Better-CrewLink.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Better-CrewLink.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Better-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exe

pid	process
4512	Better-CrewLink.exe
4512	Better-CrewLink.exe
3700	Better-CrewLink.exe
3700	Better-CrewLink.exe
3700	Better-CrewLink.exe
3700	Better-CrewLink.exe
3700	Better-CrewLink.exe
3700	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1336	Better-CrewLink.exe
1336	Better-CrewLink.exe
1868	Better-CrewLink.exe
1868	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1696	Better-CrewLink.exe
1696	Better-CrewLink.exe
1696	Better-CrewLink.exe
1696	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe
1320	Better-CrewLink.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Better-CrewLink.exe

pid process

1320 Better-CrewLink.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 708 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 708 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Better-CrewLink.exe

pid process

1320 Better-CrewLink.exe

pid	process
1320	Better-CrewLink.exe

description	pid	process
Token: 33	708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	708	AUDIODG.EXE

pid	process
1320	Better-CrewLink.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Better-CrewLink.exe

description	pid	process	target process
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 1280	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 4512	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 4512	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3700	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3700	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe
PID 1320 wrote to memory of 3472	1320	Better-CrewLink.exe	Better-CrewLink.exe

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=gpu-process --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1488 /prefetch:2
2⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1884 /prefetch:8
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=renderer --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2584 /prefetch:8
2⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2624 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=renderer --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=gpu-process --field-trial-handle=1472,11318509533627261919,14037503617656891077,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2572 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f704752-8090-41a6-ac5c-23dbd8d9e40d.tmp.node

Filesize
134KB

MD5
79b8e161c45b27de0f317af0a641c47a

SHA1
e772c3fb59ad50cdcae0c9a49ce75900afe3c6a0

SHA256
7fce92ad3f4165f7465e5f1fd84091922df448495c9337f20d6d9601b297c289

SHA512
3f5a385f109cb55a5d035a11b1943ef32234ed7927c4122b1cdf2593513d45026bb15b610a55c4fe0f032bd3c618b186fab3b6619469cb14c2ca2766f72f6f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\61f2c5c1-6ca1-43ff-8836-d41f827dd65a.tmp.node

Filesize
116KB

MD5
a81237a15d311941416a20d6d431cd6d

SHA1
617065b1e56d4bd915c4d5b9525bf447d94e38a2

SHA256
48afbd43cd077fb2cfab92c31f550dbc11e49d9584f599667d5b9fc2d771bbd9

SHA512
f29d5074af1f6a78946bb26cc690b87b26171176ac68774527d19c1a091fd5e9dd3d7b855a452922cb567dde5c987d820334c8034e8e4d847a65be8f9f306c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\69456819-bf65-4417-88c0-16664c7b3d88.tmp.node

Filesize
208KB

MD5
914127d4327b5b6c8bd939e1be5bc350

SHA1
cc665ad9ac714a4f6d933192a894ac92f1b9fac6

SHA256
83e818beb4c8aaefebd3ef4bbf2b03614c58a13787993539d17e5414ce584c26

SHA512
0825d51cfa8b9339bf509101407c90386e7625dd74bc37e5d67b3237b0163fc10e6df9990d890dcd15c5a37847c11ad8a70386b2e6e0d6b9bbff114be4598c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccf4e64-5e11-4c4d-b2e9-ab2d1d398c4c.tmp.node

Filesize
613KB

MD5
174c50bb9795f9d23b87158da5cfa977

SHA1
f5d963f733d9a82490bd828051b45c2b322b032b

SHA256
77ad8327ae7fb12e0d6b8f3d806311be07d2c34cca0da720cab2af4cb8c30435

SHA512
bf9bb12ac5b4a38fba44736ddefd48afb98ba3b5ce9ee262ea24ae7d41b8d4a41cb5a8c66336218e40cc20c2df75166b11587ea4c4a6764e5942a7cfa110b769

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\Preferences~RFe57d9b6.TMP

Filesize
161B

MD5
fdd36247eeaebd7299cd2ba4263258b7

SHA1
f5c6e0860bd78c073789db4bdeab664e1b70e825

SHA256
399541786e2d6b9035117526df935215be5306e349cf4d080ff8aeab54115f4e

SHA512
564c940c767cdc8c4b2fa7b63749f98a76e9d1131f644bf00c4fc8e9db0f2b8558c56c20cdc2fa86e8e368067ae7f5ec9744011b2e4b2d64486f7bd7c004c612

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
33162e760bccf2b99fca7c70ca2bcf69

SHA1
9fe46ba6cea79f5612794c74d7e87f75b14484d9

SHA256
b6ce600cd1f0d968e188475d81bb8014b71ac6e5e348fb578bc4a4392b47cdb0

SHA512
273bb468c9bd911bf0381613986c9cae18da2c98e130de8cafba697215f778dca2f95d24ad9627562a6e3a11160bf826ce176d0878da34f7ddd03b0cd11f0ee9

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
39e0ffad643551417ac5c8fdd9775dfb

SHA1
7aba2a6241b939d61a3668b2df8e4e5910321b8b

SHA256
68013684399d387c36c4c4eb88c12b69dec57d2d5c91223713a43f328d145992

SHA512
b4a496f570f5bbfe7aa75d66f691632a752d9d2e832e6353e9d20e0b6b29c62e0685631f5324c2da23c921f1d89ef3a317292fc4a52e5d99024898a98d2f847a

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
9c1ad788183c38dc77c0173201714532

SHA1
e4faa9ea3763dca2a6ea325e2389ba79ed9c2e79

SHA256
21fba93cffffa78e4b42f2f464506c6f665a93eafea0178c0abaadfd1e1be60e

SHA512
dabed66e0d6b8313cb84f7a61f9f6ead14e36d701b9afde4e28e200b70b39a3e521b7dd71cc2e2d2dd4b5e6b12ad9b23e9534ad251ce31fd26dd981500aa152d

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
fa2991e2ed793246cce1a94b5f155421

SHA1
5d6c77338633f654dc65f78f393b0010c38a3aa0

SHA256
c7e234d099e6ace5de2165b9165084c64ae7963732e9fca73ccc114e24ac1f7f

SHA512
b7c7f17ff458a08c51e493b9fdff1bb10fee23b5b2e9e87e099686528961ee6d1b983876b0df39399751244a86d14ae5038c093a5fd1478718d118986569aac3

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
e1350a4f733b66aec7d9efb4daf681af

SHA1
1126b48281388c3be273a8e2dc9fdf633b1dd901

SHA256
53a6445de9b3b28e8d070f8723883085e9288041f292b619dd14e853ed7437cc

SHA512
670166e2d43ae763891c8f7ae2590fd7e9fc746a144cc8414469fd763af7396db1379ba62604a60576e6dc1304d8a29e7e64bbcf6b374a45d68867967f1648fb

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
9700b65b344b860b1532a5b1398cef6b

SHA1
41c4e559d7098f00cf9ae95be8a3972074277055

SHA256
9bb499604ed487237dc504cab68a515222b405776090bfee47f580f989c411c1

SHA512
a320ae9b316f8a0c10727df25b6f2595a25de02b7816f16786f70b56203ba273b8cea0933a1c75934d8a0d08a6088f83d1084ed6875742d409354e509d7d456e

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
576ccedc2a52ce9fd68fcb81aa18df4b

SHA1
9290ca9d7d16bb8e6308f64cec835ec8a0d4811d

SHA256
40193224659f141f4dff7732c54c9467c538440e9ec9c6f66b1147483ac36add

SHA512
b787d427e3745a90f2473f021ea14f92f9fa169a089fb514aad19b72d0f8a15cb496cd32dbcd2a58f175356ef8c717d2bf7f009886934d7f9620b9330b824323

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
8c9c579cc701aa5927a7206b1c6fa983

SHA1
3bd54db85578fc2187a033415c4864d18676a73a

SHA256
0fc8af49db2f2276a8cf221d7ebedf702c1780dc24fcd35218671e2957a8066a

SHA512
2fa46171a58c573af4ad886a09a2c9f7da4e39f783a4f6c086d45ee0ab63ef937697d0252aaf1271ae89372a58e3313fabc8dfc89cdc0ed3f72d67382f79aa34

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
5d59cff9a99bb219f4fe7e1502f7b4c7

SHA1
b4a657a2158ca88449c30b37e38f4fd260c6e01d

SHA256
d166bc87a59ac38ef87d648efe813ff3befb889fb67a17e1b4cc3db757c7db64

SHA512
8cace5bfce0066a37e47f1a3d4a9f1382581c251d4b117b9bb48b7990fd6d9533a6f2d168fb214e7ef3ee287209058f43e3df1bdcdf0a4a3f044e2fdf15bbbcc

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
905dd129c4e0a781964c068a2abb5576

SHA1
d0dc3955734f4613fd9f551ba788ac24ddddb8da

SHA256
0c099805dadfb149f57a1e78893b3713661760df60475f4839be1e7f62615c31

SHA512
7db318d899da87655efcd4a269588f7f1d281b7bc894065c09bd5e10ed3650dd9224f64a23abcb855fb3df7e4670551029903141dd37af79dc18b85376d80ae8

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
e13caf84998874f7874d64ec1dc3982b

SHA1
2a11d4433d65592e651e09b9635113458f1ce8fd

SHA256
fdacbea8f4b6826581b085c03df5b5128a6fda4de97b79b0cd677eee0229257b

SHA512
a05b2d17a9bd2344666bd13d1d22bc61f6508f8e3dfb46ff1016f310c2f731bec6db1eb6bb91ec1e74b9d9e60458274d261b59fbb444a179635b67fc224b63dc

Download Submit
memory/1280-18-0x00007FF899C30000-0x00007FF899C31000-memory.dmp

Filesize
4KB

Download
memory/1280-199-0x00000226DFCD0000-0x00000226DFD7E000-memory.dmp

Filesize
696KB

Download
memory/3472-213-0x000001F40D8D0000-0x000001F40D97E000-memory.dmp

Filesize
696KB

Download