dcrat | 6a4c87064969595078355dae42918fc19c3b71f422d6b5af9cee50a2af2d7b88

Analysis

max time kernel
22s
max time network
25s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nеw-Inst[х64].exe
Size

1.8MB
MD5

3386e2abdfb0d9549bfba2cce6ca7689
SHA1

ed6cb1b6d742f644ea2d1450c84a715d0b342d5c
SHA256

6a4c87064969595078355dae42918fc19c3b71f422d6b5af9cee50a2af2d7b88
SHA512

8f5af4ba0f985ef0b2ebb0a1518f07ad39feac4c355587fa4b1db093d8f763bff4484488a7692550fa458499af696dc2d09c54266a7a2ecfe1340de97eacf8de
SSDEEP

49152:TRWp/PzUuHrGdkuxEiRMmWqf2/wzfUMrf5yfdoP+krDDjJOeZs:TEJPzXHrGdkuWJmWZ4CfdoPhXJOk

Score

10^/10

dcrat stormkitty xworm discovery infostealer rat stealer trojan

Malware Config

Extracted

Family

xworm

89.39.121.169:9000

Attributes

Install_directory
%AppData%
install_file
RunShell.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122cf-5.dat	family_xworm
behavioral1/memory/2652-18-0x0000000000940000-0x0000000000956000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000016d4e-13.dat	family_stormkitty
behavioral1/memory/2748-29-0x0000000000110000-0x0000000000154000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
2652	XClient.exe
2748	Build.exe
2692	DCRatBuild.exe
2552	fontWinnet.exe
1660	csrss.exe

Loads dropped DLL 7 IoCs

pid	Process
2600	cmd.exe
2600	cmd.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\Idle.exe	fontWinnet.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\6ccacd8608530f	fontWinnet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\csrss.exe	fontWinnet.exe
File created	C:\Windows\ShellNew\886983d96e3d3e	fontWinnet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	2748	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2608	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2608	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe
2552	fontWinnet.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	XClient.exe
Token: SeDebugPrivilege	2748	Build.exe
Token: SeDebugPrivilege	2552	fontWinnet.exe
Token: SeDebugPrivilege	1660	csrss.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2652	2848	Nеw-Inst[х64].exe	31
PID 2848 wrote to memory of 2652	2848	Nеw-Inst[х64].exe	31
PID 2848 wrote to memory of 2652	2848	Nеw-Inst[х64].exe	31
PID 2848 wrote to memory of 2748	2848	Nеw-Inst[х64].exe	32
PID 2848 wrote to memory of 2748	2848	Nеw-Inst[х64].exe	32
PID 2848 wrote to memory of 2748	2848	Nеw-Inst[х64].exe	32
PID 2848 wrote to memory of 2748	2848	Nеw-Inst[х64].exe	32
PID 2848 wrote to memory of 2692	2848	Nеw-Inst[х64].exe	33
PID 2848 wrote to memory of 2692	2848	Nеw-Inst[х64].exe	33
PID 2848 wrote to memory of 2692	2848	Nеw-Inst[х64].exe	33
PID 2848 wrote to memory of 2692	2848	Nеw-Inst[х64].exe	33
PID 2692 wrote to memory of 2720	2692	DCRatBuild.exe	34
PID 2692 wrote to memory of 2720	2692	DCRatBuild.exe	34
PID 2692 wrote to memory of 2720	2692	DCRatBuild.exe	34
PID 2692 wrote to memory of 2720	2692	DCRatBuild.exe	34
PID 2720 wrote to memory of 2600	2720	WScript.exe	35
PID 2720 wrote to memory of 2600	2720	WScript.exe	35
PID 2720 wrote to memory of 2600	2720	WScript.exe	35
PID 2720 wrote to memory of 2600	2720	WScript.exe	35
PID 2600 wrote to memory of 2552	2600	cmd.exe	37
PID 2600 wrote to memory of 2552	2600	cmd.exe	37
PID 2600 wrote to memory of 2552	2600	cmd.exe	37
PID 2600 wrote to memory of 2552	2600	cmd.exe	37
PID 2552 wrote to memory of 1176	2552	fontWinnet.exe	38
PID 2552 wrote to memory of 1176	2552	fontWinnet.exe	38
PID 2552 wrote to memory of 1176	2552	fontWinnet.exe	38
PID 1176 wrote to memory of 440	1176	cmd.exe	40
PID 1176 wrote to memory of 440	1176	cmd.exe	40
PID 1176 wrote to memory of 440	1176	cmd.exe	40
PID 1176 wrote to memory of 2608	1176	cmd.exe	41
PID 1176 wrote to memory of 2608	1176	cmd.exe	41
PID 1176 wrote to memory of 2608	1176	cmd.exe	41
PID 2748 wrote to memory of 2124	2748	Build.exe	43
PID 2748 wrote to memory of 2124	2748	Build.exe	43
PID 2748 wrote to memory of 2124	2748	Build.exe	43
PID 2748 wrote to memory of 2124	2748	Build.exe	43
PID 1176 wrote to memory of 1660	1176	cmd.exe	45
PID 1176 wrote to memory of 1660	1176	cmd.exe	45
PID 1176 wrote to memory of 1660	1176	cmd.exe	45
PID 2504 wrote to memory of 1628	2504	chrome.exe	47
PID 2504 wrote to memory of 1628	2504	chrome.exe	47
PID 2504 wrote to memory of 1628	2504	chrome.exe	47
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48
PID 2504 wrote to memory of 1932	2504	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\Nеw-Inst[х64].exe
"C:\Users\Admin\AppData\Local\Temp\Nеw-Inst[х64].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Build.exe
  "C:\Users\Admin\AppData\Local\Temp\Build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1084
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2124
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\WinnetCommonSvc\fontWinnet.exe
        
        "C:\WinnetCommonSvc/fontWinnet.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Qr72q2TrP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Windows\ShellNew\csrss.exe
        
        "C:\Windows\ShellNew\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3139758,0x7fef3139768,0x7fef3139778
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1468 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1160 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3160 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:1
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3176 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1292,i,12669048549470153974,14634118100230582490,131072 /prefetch:8
  2⤵
  PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3139758,0x7fef3139768,0x7fef3139778
  2⤵
  PID:2096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4af14b992d16a9097ddb4009c70b96b9

SHA1
2606b4a060c324c2048ea8d54374d4f2402886eb

SHA256
6ed45c34d54bb5f6e8b2a14aeb78406c243ca3d5eecd7a00089957e8c98dc7ce

SHA512
3d7642f60e8a54040b80872747cd6f37017c77ad3ec3f4370fe5641f8a0b76ffbf59f6592f9851d35ee192789b525e2e20d9cabb4c52f00cc08ea3bd94fa8987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Qr72q2TrP.bat

Filesize
157B

MD5
6648b009047e450a19b678ce4564372c

SHA1
f46ce52051662e94c99cc8646ff15f596eb010dc

SHA256
ddc4a0a05bb04d312f42de163bfb9d556d770724b75b36493d4d2e74fa99d4de

SHA512
7d1118444cef57b0aa141265f9b9bbaf538a8e689b30722c56ebc85a63c34cf3f9685a47125b36ce64f9ca0dc136ddd86f3986c68584edaf0e0822847a874587

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build.exe

Filesize
250KB

MD5
b8f3934b55afbaa069717cd2e2eda6dd

SHA1
b33071c576f2637bd679002f01ca68e4df5112ec

SHA256
7cd58601d62de54c16bf279d2eb477a0e5b85f62cbe387268c1bec578db2a1e3

SHA512
2bab25ed6f190e56a96986400e5004956d44e3c9fe6e95e0b6540e503ad232ed3c08c85aaf3926a7bab3041fdbe64e363785c07fce9c011fc09abf2c39fde0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.2MB

MD5
730239632db99d16b9f2656950408bcc

SHA1
ae877e836becf0b7727cf61c0277446c1c5ed381

SHA256
6dbcdb70833bb9ac5656887e6eae082ade4d197bcf6516c70e10ab196a23d292

SHA512
bd3b2973c54ee9754f19ef5eba73d9252de285c5d574611b01db0ea3f0c3c145686e319dc2a9f6b8aff94728eb1bfb8485a98152175cca5deed52b6318c16da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
64KB

MD5
31d745f5009eeda2da51b2d05d9711c5

SHA1
26c27b236bed8cb2046acddcc1c7d7b642b7c610

SHA256
37330d19e9479d225bf3934cf1b7bb233adc6bf0c8c876f181b814759d7c0b0f

SHA512
8319478d1ef266243e26592edbef9acbb07eb6de059043981e7f824424501691d41eef4736f6fe05e7ffc718ed0133489d22bd850c7a6773f7f50bf34207da4b

Download Submit
C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe

Filesize
247B

MD5
8fbc46f9794e1b89929cd710e53f0459

SHA1
15453a386f1c94b5ea4cd0ec41aa3c79c5dd2f54

SHA256
aaa6ca00879bea0f370824f57a72071aea49ae438ad2abb3eb4c9faddbab3d86

SHA512
b9fe28c4b771eae1f2261e4e17ec9e6d6055e17a5a2a5a32f8ecc7aaba9cf73f14e89ffafcc3455ed57cfa48fdde6d393630f585349f8ce4d2302543f323dc9b

Download Submit
C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat

Filesize
89B

MD5
f2c017fa853e79d1fc9f0ef254fbd9b7

SHA1
911039790cbad8fd3d7ff7d5dd3ed0099adc4ed9

SHA256
8848856354f6c99d5821c08136a03c75597f43dbfe1f8475998db4b19e833b13

SHA512
ec1af3b307d7c7d30011ef7a9d0d1b7c53f15cdc7f028163fa40db3711e9d83271dc4a089160d9c9a6b4687ddd87b0cd6fd5bda2e375a080c8d0a6badc4885ca

Download Submit
\WinnetCommonSvc\fontWinnet.exe

Filesize
1.9MB

MD5
a5696185d5f9c88887e304e46944a366

SHA1
dd3daef6d70edcfbff6e58a123a25e212534941f

SHA256
3672ce6a54d5f04368c85ca8d46b2f0d67b548d05703bb14cf3492dc21fff8da

SHA512
9dadc5dfec936039b09aeed6c49a58cbe1162a9939283efa27d8660ea8aeeafc28d246ddf4270df93d89af15822d1f8b4aebc8d74ba040969753975013b3d579

Download Submit
memory/1660-73-0x0000000000F60000-0x000000000114C000-memory.dmp

Filesize
1.9MB

Download
memory/2552-40-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2552-36-0x00000000009E0000-0x0000000000BCC000-memory.dmp

Filesize
1.9MB

Download
memory/2552-44-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2552-48-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2552-46-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2552-42-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2552-38-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2652-70-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-28-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-18-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/2748-29-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/2848-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2848-19-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-1-0x0000000000BA0000-0x0000000000D78000-memory.dmp

Filesize
1.8MB

Download