sectoprat | a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431

Resubmissions

29/04/2024, 16:29

240429-tzjd2afe5z 10

29/04/2024, 16:02

240429-tgvdksee94 10

Analysis

max time kernel
68s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
Size

347KB
MD5

b6516621eb8e71838afaffe1a06c88cb
SHA1

dd58301bf4f7ae30a48f81051e84ba2b481c1ba8
SHA256

a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431
SHA512

c598690e4a4edd459e05c62b76deadcaee83a7a64c996c6393b308fb75bb9e212b4f88bf11040c5c60926545336c4054c9e0f7c84f90727b44455c6e7e43e8ee
SSDEEP

6144:b4ZQNIo0QKjHUGwo2ve4u5b85/k1sZtl8OguSDU4pt3hdno/:boQNUQ+HUGj2v4981MsXl87uSDU4pe/

Score

10^/10

sectoprat stealc discovery rat spyware stealer trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3040-376-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2200	u28o.0.exe
2976	run.exe
2092	u28o.3.exe

Loads dropped DLL 16 IoCs

pid	Process
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2200	u28o.0.exe
2200	u28o.0.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2976	run.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
560	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 560	2976	run.exe	31
PID 560 set thread context of 3040	560	cmd.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u28o.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u28o.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u28o.3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u28o.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u28o.0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2200	u28o.0.exe
2976	run.exe
2976	run.exe
2200	u28o.0.exe
560	cmd.exe
560	cmd.exe
2776	chrome.exe
2776	chrome.exe
3040	MSBuild.exe
3040	MSBuild.exe
3040	MSBuild.exe
3040	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2976	run.exe
560	cmd.exe
560	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeDebugPrivilege	3040	MSBuild.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2092	u28o.3.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	run.exe
2976	run.exe
3040	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2200	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	28
PID 2904 wrote to memory of 2200	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	28
PID 2904 wrote to memory of 2200	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	28
PID 2904 wrote to memory of 2200	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	28
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2904 wrote to memory of 2976	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	30
PID 2976 wrote to memory of 560	2976	run.exe	31
PID 2976 wrote to memory of 560	2976	run.exe	31
PID 2976 wrote to memory of 560	2976	run.exe	31
PID 2976 wrote to memory of 560	2976	run.exe	31
PID 2904 wrote to memory of 2092	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	33
PID 2904 wrote to memory of 2092	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	33
PID 2904 wrote to memory of 2092	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	33
PID 2904 wrote to memory of 2092	2904	a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe	33
PID 2976 wrote to memory of 560	2976	run.exe	31
PID 2776 wrote to memory of 2332	2776	chrome.exe	35
PID 2776 wrote to memory of 2332	2776	chrome.exe	35
PID 2776 wrote to memory of 2332	2776	chrome.exe	35
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 1816	2776	chrome.exe	37
PID 2776 wrote to memory of 2564	2776	chrome.exe	38
PID 2776 wrote to memory of 2564	2776	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe
"C:\Users\Admin\AppData\Local\Temp\a41c93f1f584aee3a5e1ebd9f197a119a8e6bceabe2bbbd4d3e922aee12f6431.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\u28o.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u28o.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe
  "C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3040
- C:\Users\Admin\AppData\Local\Temp\u28o.3.exe
  "C:\Users\Admin\AppData\Local\Temp\u28o.3.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae9758,0x7fef6ae9768,0x7fef6ae9778
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2108 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:2
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1240 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4004 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1352,i,141042095554162902,2061065430568587470,131072 /prefetch:8
  2⤵
  PID:768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d43267e63280fd76135070aa950c404c

SHA1
871d6befbbdc85ff30b4b4fbb88f8c843ba120ab

SHA256
49922121198b9d853a97ce3ef3fda8db6329cc4d77afc26d0ee475ad89fcd630

SHA512
65e2397ac393b1a8c130673c3c7ddf2db3a2739e4fc5fa4da5556f0095e9ebc6ec84d79c7c954d6983e677776821c060846004431a19bbaad6f9c04c63c8a22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
479a89ff1ab6a47e33d2c39cd0f505a3

SHA1
451f94ee479aadaa9bc4ad84b040ef09cf73ffaf

SHA256
faf030db67c5bc904339f3ecf77df457ea48ea5d6b28fdd09ed7b15390777ea8

SHA512
074b5613400ccadebae80cd9fe36c486db43fd57f892b7694eefd919c156a83538a38df818db51ec6bb67ae53d477b7e9eb142e10a07aec7b386f1787896ec44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
53791e3f645d18a0e11851910dd4cbfd

SHA1
1cd24462c72d7f115c161a6dc8bac1a09ecdb58c

SHA256
b282e183b0a536ba42de33d166c80cd05a5ed671078fd9032e77d0fea8ef3ebf

SHA512
e3842651573f2546edaa428e24c0b56aee14fedf7c2166ef90b5d48d0ded22fea947fb3f2b1575f1c757889b971512243f239cc1c46de8e679e83d55e54ab358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
c1e24e4ac3ca8abe5e40e60c8a81ad8f

SHA1
27a059a9e90c373fc5e578edfc5d9aeae58c9386

SHA256
c11fc15cb79c0a13960fc31dcf1c81a88fa5bb9ec70cc61fe3e14148c55bfb66

SHA512
9d41cea622ee4c304502c775bbef8f56b3739a0503b544510c467d6949273142e8d2e01908daf9b90c3a49f79df8335bbbb588cc9c63f7f65cb46613f37d6efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
267KB

MD5
b03433d9d5293e5b403822c6888fcb5c

SHA1
b364ba0a8909be02526fa223cf81217618547c24

SHA256
b01ff61c6e9aa1a83a304cf845419fbd94a403aebea2e480c35e3a3628ba87f7

SHA512
92423cf455f7a1df8cde7b7d732b09df550169776500ed88d68a4af34df1b110763affe5b07c431c49bec69a4fc35a141e27aa95833261ee0a5c43454f1b5b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f755408b-7247-4a0a-a145-2d680c9bcc14.tmp

Filesize
267KB

MD5
cf01a68a9dcb0bd7504c086c4641a58d

SHA1
2a1acbb6680302b8cb4527aef4a50796a5c758fa

SHA256
1648fedaf35f2d789dba58ca2312a399be008574294f26424dcad5a728e36754

SHA512
e7cabd2fdcb747984926a02e6a7ce3e2590f2c4eb25bf081b83474480d4e423cbc348a3d5e1061c7c5e15a3fe4d3cb7202557a3c484a69d31f5b1e46c27d3eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\U28O1~1.ZIP

Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\de643c9c

Filesize
1.4MB

MD5
436ec7a6805103a828addab17c831fac

SHA1
1abcacd48f21c42c5c22d8d1165e9aaac4239735

SHA256
873fa0fcdfbac2007eedc0db75b5ec6eaa4bc3e6a8a30d70817ae879558da810

SHA512
be503919fcd673f0553ff44e822c7e4c48dac976ba2673f74fcf0bb9c5ae37f72b84140bb90595bef62dd664fe0e713653a4ac2821f4af019e5b8f4e9e56cf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
b5c759e8ce47838fac72222551503672

SHA1
7d3d8f4ed5cc0e37b8ef46fee9d26e52e84a998d

SHA256
1f5500400edb367e238abd6ef0ac322db6767df82381729d9c7801cd54fbe3c1

SHA512
652495ca9d557611eb33b520021ba72b0d9510df4b3f0c8f6fbbbe49a4824026e13e31fc0bd513e41dfb33c49226677d0a506fbc45941f34a0bf5baa06bcb16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
4ac72c324a22c1acaff3e6d1955cacc3

SHA1
df94a32f3f7dc3500e428b66afa5532f79d5479d

SHA256
0c0867f6cec29b9c435fe93ba7eb5055dec011c25800032721201883fffa412b

SHA512
c19419150945b9adc65d42568c6b7873607f3a2ecf5ef676a4c7d30dce82ceb6c0e1305bb44e2da72c52d6da1efe93e12bf2a76b1e1073307b978c5f3b133438

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3CD.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28o.2\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28o.2\bunch.dat

Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28o.2\run.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u28o.2\whale.dbf

Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\u28o.0.exe

Filesize
203KB

MD5
dce5dad83235fc6ed6a3be41c8a0c65a

SHA1
5322656bca0aca1f65ff6a8b9cc0a3f569ef9b73

SHA256
1f1e0fe8ed308f9eeb39dac12c4a1b880effc6c512b4d5f8222987a9cd260308

SHA512
6539754abe61b14abe3113304ff62eb90bf6abf38748d61c72c9b39cc23b36ee3a4fcd27f501528bb8d0bcdd505e7fbb7da30c425a4f7a267a96a106f530f190

Download Submit
\Users\Admin\AppData\Local\Temp\u28o.2\relay.dll

Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
\Users\Admin\AppData\Local\Temp\u28o.3.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/560-338-0x0000000073640000-0x00000000737B4000-memory.dmp

Filesize
1.5MB

Download
memory/560-224-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/2092-278-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2200-223-0x0000000000400000-0x0000000002AF0000-memory.dmp

Filesize
38.9MB

Download
memory/2200-20-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2200-203-0x0000000000400000-0x0000000002AF0000-memory.dmp

Filesize
38.9MB

Download
memory/2904-169-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/2904-2-0x0000000002B90000-0x0000000002BFD000-memory.dmp

Filesize
436KB

Download
memory/2904-185-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2904-186-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/2904-3-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/2904-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2976-163-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/2976-162-0x0000000073640000-0x00000000737B4000-memory.dmp

Filesize
1.5MB

Download
memory/2976-204-0x0000000073640000-0x00000000737B4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-358-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-357-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-356-0x00000000723A0000-0x0000000073402000-memory.dmp

Filesize
16.4MB

Download
memory/3040-376-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download