dcrat | 104a911945f430c05ed156633a3fb316634218cb5510dc6df373a23ff073238c

Analysis

max time kernel
132s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BSThacks.exe
Size

1.9MB
MD5

1d81f2dcae2cad16ad719a714414ccf6
SHA1

57aaeab4ec3ba5d0738684256d4ec2416ed85981
SHA256

104a911945f430c05ed156633a3fb316634218cb5510dc6df373a23ff073238c
SHA512

13cff621392ef6a69ca88e42ec36f64391ea58145e8851535a6b41ee120c59d3842cd05325c844280925a751b8ed10143f3efff9c378d975bc78d89fb6416b8b
SSDEEP

24576:h2G/nvxW3Wd0qOQqfjhiF+eSmd57d2lDPRGy+UddyFqVg+BI/uG4AKkLkhu0:hbA3LuqO+Fm8RUvtFqueI/ckLkR

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023cac-426.dat	dcrat
behavioral1/memory/1724-429-0x0000000000A50000-0x0000000000BBA000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	BSThacks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	SurrogateCommon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BSThacks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772805776411807"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	BSThacks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1208	chrome.exe
1208	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeDebugPrivilege	1724	SurrogateCommon.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe
Token: SeCreatePagefilePrivilege	1208	chrome.exe
Token: SeShutdownPrivilege	1208	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe
1208	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 856	3428	BSThacks.exe	82
PID 3428 wrote to memory of 856	3428	BSThacks.exe	82
PID 3428 wrote to memory of 856	3428	BSThacks.exe	82
PID 1208 wrote to memory of 752	1208	chrome.exe	86
PID 1208 wrote to memory of 752	1208	chrome.exe	86
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 3380	1208	chrome.exe	87
PID 1208 wrote to memory of 388	1208	chrome.exe	88
PID 1208 wrote to memory of 388	1208	chrome.exe	88
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89
PID 1208 wrote to memory of 3352	1208	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\BSThacks.exe
"C:\Users\Admin\AppData\Local\Temp\BSThacks.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewwinSessionhostcommon\Txzzu7tsLbyOTjIrlPW5YR22FQ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewwinSessionhostcommon\JS95NsahAYHQx.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
  - - C:\reviewwinSessionhostcommon\SurrogateCommon.exe
      "C:\reviewwinSessionhostcommon\SurrogateCommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff91606cc40,0x7ff91606cc4c,0x7ff91606cc58
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5464,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5396 /prefetch:2
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3700,i,12171743172582924858,14169794919406569035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6154714a-69b8-4cd6-b3b1-036424e9ac2a.tmp

Filesize
9KB

MD5
789c2b9479e1fdf2f6cc688f2ab540d2

SHA1
a0cc71283da5ba673bfe45358023019e3ec229b4

SHA256
8a8c0d40060747dead746ca79c7f94875787bf9d0679ebfe3463a43c5321884e

SHA512
562acbb11fc7d5c591390eefb0c98bdc6ac75cd7b8ebd73eb422876ce501f15822bd89bfe5f3ea7ac90324ceefb60856582401820a4ccd2bb7fc5e45d72dc071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f3c8e68bdc72d002a5b3fd6352d2feb5

SHA1
40e2769ada7b961c685baa3b357980399b481193

SHA256
71b583b7f683969b2d1c7b2efd3ec4c576fd70ec1d730c05a320bc9a9fc3d3aa

SHA512
cc81c4b8cd4145623a549fbd46b80226af0b9c859633adb8302a4d51205f4cbbd56fde46ed39916aa15bcb7bd95a3fee22636b4900299eb8e8356e5ff108f39f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e657f56011afdf30905fd7ade8067645

SHA1
aa32b984313882d07f147f95cfbfda03cc3ecd70

SHA256
0c6b2713b063b2cfa8bbd89f4340f72fc0c3dd59baa53ac76d36cfb12f095735

SHA512
bfa3fce0aac7d20065f0e277b69713f611e6277c24a3adb19081acf9079a8a8521f2e590c0a21ebc417abf799ec5c7e3bc5c5fe5a6dccfa2ce9292c6f3aa6e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
debea178be9c30c5baa4be6b0e8d99c3

SHA1
de68a7e0d80036df929f1b030c6cb2493dd04173

SHA256
0a123e1f7c444d00f4d2c9bc06e5baa67309d42e23666843adc139fe02cdeffd

SHA512
d317817adfd6965faf86817961fd4dcb6c2e1583743f57ce1bdee69f0d12406300d8d6fe372e12aa090288b6faa1507e5fba54c3e411cd9213e472f3354735b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d06474bbc986cf1bdd1186acb949e61

SHA1
7912e6989ef796c30efe51ea2c301e81288c6237

SHA256
d7443ac846b7a017452602442a64531b98982521b84c6a1573962cccdc8f505e

SHA512
42e36f93469b0ca5b4a1e1b24fe85fa6e34d758020a6672db4c4b1c9eb04b82435556fb09d286942cf7097709fc46b27a320de95c8533333c48782d6e5853b36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4eb79fa1145d7342afc1abb7c99bb57

SHA1
bcecc7b663e07695d2fff37a50eeee1e774a6447

SHA256
6ee97890fd67d5d1e212c1866015b502b20fdbe8abdc75a6341a71c2e270a1c2

SHA512
37edbe4823ca64c30e271f3c9ab723313ca51b1e9a22d2c302595c860984682f5d8fcf369f184b42a3d563c3c5283ccd2d35e31c5fe61d9c19e3d11f72370af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b63a4dc701b8b05fdc40fd3938441bf

SHA1
4dfeaa947bd3912866f7c1db7718b953d5c609ff

SHA256
c03f61d3b93a9ae1b2cdefa30db8f7023cf4b37c2b063c5e67f939f924650519

SHA512
3fffa390be54de8fd36505cc7acf4f981ee3d326aa742034750e9268e64334ffd6ebbc793f5a9a6cccd2d88b5db62d157653795cae01ff859caf2cbea854122d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cde62d37892a2d9a2c8a04e134609aa

SHA1
5cc629cf05662b4071f3e5544f0696da9ea3f81b

SHA256
a8d0c4b94f9c4636140f39213e5b0ac50328d5450111d336fb69a8815b7148d5

SHA512
d4d6ec8c0259ac9a47bf699da001cea314b9f75e83d3400327d333b0655d5861deacd203486435c716cfa461cdba1da06bff58e8c08110881f9472b3a6fe4ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
701d0f28a47a392854b448f37353488f

SHA1
fabd2e3b4b65ace8a48b6a8a4afcde0bbb1d0103

SHA256
89d639e25e884a432040c6e3b17e68148115830d300908c7aea3403b6220375c

SHA512
768adab2c2d7f4b52a3813e2ddb98f8d396fbbbc4a5239eef954c2534724a62233381b03574a1dae7c8fceedf773d035a08cea083f6d2cc8b9518fc523e38752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b7a1cef9e429ea63a3a81191ec6d628e

SHA1
f294c858758b2f98d59b386110744be1a6c4ad93

SHA256
12b7405dc52bcae59dbe24bf8610e4f636a2d4bc9bd0a63356c179ed064ea969

SHA512
8be49c6a7fd907a83927f53ff470e6641bc9c7848feff529ba620ab17a340d22f4149e213664f01aed0c4441260b9b9f4fff4bd0e9b4e66546f98c1e09fc9f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6b786086b9e071ec355248fa6c1b13a4

SHA1
4fcacb4b001905a53ebb74f252dff171a6127fd4

SHA256
64e97542973dfdfbed0fad13ec42fc7dc40ad4aec8720e350f8c3b0583ba21b9

SHA512
2f25ec370e0f6011fa2b024ff86af7169a625371821075f34a216f547b8bb168cef8567532d3b242ed8fc9959b0ff02786c479cb49f668a772fd0d6d7c246ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
9cb1d1988494ab9a068d5c2887ecee91

SHA1
f70d87c9c82179bb4dd20fb451ad852ac1738c18

SHA256
81c7eb5c8785c84e1ffbcc33776a6c80b078a1747fe1bae3fbb10ebe82f5df71

SHA512
73441de10c13193b13402bc9d7524c78d07158d570c0fc179e18e7539988f2b2ba976331c6e35b4f00c7727d4b204a3b12656a83f3591041dd5946b1e6fca5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
d715fdbb1f0a63654310898ccf377ad6

SHA1
b930a132167e4d393d10bb7a1bfeaf91655c0451

SHA256
1c60c09efd315bd6a0c27a3257452251658f0b85a48eb3a2c942c53ea0776f60

SHA512
160a481e3d8f74d26a255c8dc42b4e5ac29eb88720b59ef93e7bce021032df23157e9f0c825a1cd4ac699d96168a607bb216af0e8f30df2fe0d402cef2a7ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1208_2008937733\652abf15-716f-46bc-880c-0232742b4064.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1208_2008937733\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\reviewwinSessionhostcommon\JS95NsahAYHQx.bat

Filesize
51B

MD5
9c99f272c55f24c38a3d732b84ee715e

SHA1
36bb0afdeec66024499b72208280fb01228f18e8

SHA256
3d4a917d49a46a40bb4d22b101c01c390f9ee1a1ecca0dd59b726df6e9dc9867

SHA512
8ce75d5f3ecabfb493a47a71a76ac9b4d7c39fc04160c87fb60e2453f02104da9ef7f26b0c78ea55beea11240e2c47c0cc61326ce71a14dac98c02b5fc88b072

Download Submit
C:\reviewwinSessionhostcommon\SurrogateCommon.exe

Filesize
1.4MB

MD5
ea71569b0e51e03231229d19a6b8199b

SHA1
d46bf331915a0dea8512c6616bedee508a1496a7

SHA256
89f2f11a0e44dfd721f5994912632a028e4e628df4a8df305695d473f0d042a4

SHA512
859255b77861b65682e2668ebbd3536b7b2dcb5c26b699017330c701531e2dbb35ba4eb5b001a8c87143257f94ea5a1beddf49184136372f304811d7ab3f1e87

Download Submit
C:\reviewwinSessionhostcommon\Txzzu7tsLbyOTjIrlPW5YR22FQ.vbe

Filesize
216B

MD5
377212779c8949d887a9c98109692f94

SHA1
a219371560cefee4bce8beb28edba33e832c048e

SHA256
1bcc22a387d65049c14dac5288fd9afbe6d677393551e181e53c7c4a4a5c4a03

SHA512
c2b24c446f9b0f01fee1d5aa7304df9c0bb19e22190c38626740cdcf1d417f23bcc3ffb49f9c71bd7de5529427a031640bc2de48c5d1de772d86956cbfafba4c

Download Submit
memory/1724-430-0x00000000013A0000-0x00000000013AE000-memory.dmp

Filesize
56KB

Download
memory/1724-429-0x0000000000A50000-0x0000000000BBA000-memory.dmp

Filesize
1.4MB

Download