bitrat | f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

Analysis

max time kernel
69s
max time network
184s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 09:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

stub.exe
Size

3.8MB
MD5

4443b57c1262fbc156765ba2a9019391
SHA1

b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d
SHA256

f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7
SHA512

84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/emlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

103.153.182.247:6161

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

stub.exe

pid process

2356 stub.exe
2356 stub.exe
2356 stub.exe
2356 stub.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{554E7E01-ECE7-11EE-BFAC-EEF45767FDFF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

NTFS ADS 2 IoCs

Processes:

stub.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:28-03-2024	stub.exe
File opened for modification	C:\Users\Admin\AppData\Local:28-03-2024	stub.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2704 chrome.exe
2704 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

stub.exe

pid process

2356 stub.exe

Suspicious behavior: RenamesItself 14 IoCs

Processes:

stub.exe

pid	process
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe
2356	stub.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

stub.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2356	stub.exe
Token: SeShutdownPrivilege	2356	stub.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1344	iexplore.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exestub.exeIEXPLORE.EXE

pid process

1344 iexplore.exe
1344 iexplore.exe
2356 stub.exe
2356 stub.exe
1984 IEXPLORE.EXE
1984 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1344 wrote to memory of 1984	1344	iexplore.exe	IEXPLORE.EXE
PID 1344 wrote to memory of 1984	1344	iexplore.exe	IEXPLORE.EXE
PID 1344 wrote to memory of 1984	1344	iexplore.exe	IEXPLORE.EXE
PID 1344 wrote to memory of 1984	1344	iexplore.exe	IEXPLORE.EXE
PID 2704 wrote to memory of 1620	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 1620	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 1620	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2820	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2844	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2844	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2844	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe
PID 2704 wrote to memory of 2608	2704	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d79758,0x7fef6d79768,0x7fef6d79778
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:2
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1252 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:2
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1112 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3852 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3840 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2628 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2140 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3248 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1168 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2448 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2580 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:1
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3984 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3788 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3784 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1344 --field-trial-handle=1228,i,1603139326599081890,2832130758553912903,131072 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1496

C:\Users\Admin\Downloads\stub.exe
"C:\Users\Admin\Downloads\stub.exe"
1⤵
PID:1656

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:696

C:\Users\Admin\Downloads\stub.exe
"C:\Users\Admin\Downloads\stub.exe"
1⤵
PID:616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\91c6786b-ffe8-4b6b-b794-873e38926908.tmp
Filesize
5KB

MD5
202b7de1384dc455546a8dead131319b

SHA1
cba318304d77085f05927012cff4c2d0e2c1f5eb

SHA256
6e375a6590bbb0845a33b95a86ae7b7e3081f27695391fbbd38259f6b8ad82f2

SHA512
3d4cda0c7f6f63ad2374c0dbccf5e1474aa7a7dc7ce43ce78263ebd8ce793b72faa7af64b6aadb9b3a9999c333488627a3503fb58e5fab6f4a3ac95cda1f87d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
829B

MD5
c669b42f564f3e0ba7eb427feb9f02c1

SHA1
ba0e13a7c46e5ed68a3a8005e79065eb4637385b

SHA256
02e379e00f569f666cd4f12dd6c899741bebe8a5a47e40740131aca39e9a059d

SHA512
120555e99ed1753340ad66479252f2c51d6865c7553d2c0d30107c92eef233d78baa233fd0ef609bc7784c4baea18d5b37fe6f938f39a9fe05bb192a1e4a57b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
633B

MD5
6f9db3d312e521c55475cd0636aad2d2

SHA1
f65293df3971c7224311b89cb26821f00b555152

SHA256
84bd80353de56e997e2afbfa69271569f8c28399fbfd00e5454d11c2095895ca

SHA512
6fe504c4f9cd0aa458ae682a4fded16168f37b4f3788fda5b78bd3f2b7c8166c8bda23bfef70a5bb5a4cc18f47159e7895ddad186cbd0993ee7fd549d41888c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
67cb524267eb8e8167291a1b5da04524

SHA1
464d5bb7ed2a2db37cb99d6e810b070fb08fb3d1

SHA256
58e6518dca6fd476b34a6f2758bcbf0ea3a2bf4592f56a5840e7dce3b0dbd51e

SHA512
5ad522fc7e5b67e821330da93760383204557006f6a227c93080fc9e9c6da17f90fbd01dbd46cf71699c86ded669c425ef48fa0d9ed1be14538351e9f4584abe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
49b19164b919ca3ed4cab1a161dd27f3

SHA1
f3edc84bfeece123c2ed15dd6c022ab71d34ad4e

SHA256
3b5a50096634c92fe48c44ea296597e3625bbd5647f8dbd6003e939ed9357e90

SHA512
9243ef834da92046078eeea1a80e35641a76d53bbf1992c3d05b517933d55923aa29c6fb0e01e2acd07ed4a55cc2121bdb2eb81a7b2860afcedf3075dd932019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
12621831982b4840e0c64e5798feb40e

SHA1
a2a6cf21f4f24879e2ffe4f47c8b3d578b680969

SHA256
9ee0b2a2794b37c19b7792ad9eda6968546af980c9697c0f73a5cab31e459b1a

SHA512
746333d08ae8d99a4c7a929995918774af40d7ff7b6f19a0bc21bc1ce23e4bdd6c71ba7b9c90c47e2b10281f2cf0174a4f88230925ddfd3d87945b4f432ad265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2962c1979d8b2bf3f6eefd4611fb4961

SHA1
38442b0f63cd6a992604eaee64352bfb042e7ef2

SHA256
10a1b9df83790e26d5436f5d675650bb596ae4a059d93379dbd9c06312647c1c

SHA512
98d138a94c68af93d2b655bb79ade82a0acbb52110923f0ea8eb6cfa761f527c80d32eb21810bce7c212c888cb4eb85609ff4bcc6f98b3aa70c656fc028765b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
def4e607d37c692eade275365b64e25d

SHA1
eeb5f2c14989dafd0281e5a5a3381454aa5f5f1c

SHA256
03f998e2256c9d54c80c59f9589aa09139282ed916cbcf2b31d63d0ed9693b40

SHA512
2c9a60142a1de1b8e8a2c57a1b31217806ac45b0af8ecd86830845948c1ad4d7c82f28be3edf3014e9c3f4f7e2b8797e397db30b7daa9bf92b5aac5fc3323175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
f82143f9549e94fb9f1a4cc0edf61465

SHA1
d5b82b006debc65ace0be4e06a04b0c417cefda4

SHA256
0a54394b4dfb450ce08de5f039b0eff415b50fe9b8f39a71e893b952217c1442

SHA512
f3a9d8f9c0bc4715b1ec8b2f58722699fc6f92b2f7e5127c75758e38dca1d62cf7151fcf05da22101ccb76aee76c53d569eba215e385ac57b55640fba0229750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ca79c9cb-53bf-41dc-b16d-f5f9bf5aa6ba.tmp
Filesize
261KB

MD5
efc41733aabdc83dd18c943f4d8e7d04

SHA1
8846de2baac2fb10e9f853e0d73e4e14194850f9

SHA256
69932533cba7e1a2a6f7286c5276425fa80945a5a2f37d9f66583e704cb83026

SHA512
cec60ae58e340e43aa3da2a5e21bd80c5906dc0fb8ddbf66b00330f7b1c1f6f25d7d6927df8a0050957e47db34ee0d1c2f8334e03b51c76b8ba850dc168be8a5

Download Submit
C:\Users\Admin\Downloads\stub.exe
Filesize
3.8MB

MD5
4443b57c1262fbc156765ba2a9019391

SHA1
b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d

SHA256
f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

SHA512
84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d

Download Submit
\??\pipe\crashpad_2704_GGAYRHXBJAUXLMPV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-250-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/696-256-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/696-257-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/696-255-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/696-251-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/696-249-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/696-248-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2356-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2452-360-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2916-361-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads