shurk | 60177d46c6dc42fd8118a280e0eb2056f05915dde1c24c4f5322e929c73956b8

Analysis

max time kernel
141s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkinSwapper.exe
Size

7.8MB
MD5

4a0bc66968a6315dbb5927c60f634c87
SHA1

e14dcffa065841466fd023cd99a3354f8edc8b9a
SHA256

60177d46c6dc42fd8118a280e0eb2056f05915dde1c24c4f5322e929c73956b8
SHA512

4f07cda2f639e37861cc7681b33e3ec0dd0670c1d095c66f3df64928c5a01357572016f40d7e16e97c2b66018ef2bb711e454de9607f3b0c4d80bb436776ea80
SSDEEP

196608:YrBZS6ykGjALAZRvMDPFnLTuref1hh/TPTS4nz0szTR7Ai:OrygLAZ0nLTuref1hh/bTS4nz0szTRsi

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/4632-0-0x0000000001700000-0x0000000001EEA000-memory.dmp	shurk_stealer
behavioral1/memory/4632-6-0x0000000001700000-0x0000000001EEA000-memory.dmp	shurk_stealer
behavioral1/memory/4632-12-0x0000000001700000-0x0000000001EEA000-memory.dmp	shurk_stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 4632	2964	SkinSwapper.exe	84

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
744	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591839697450151"	chrome.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
5776	chrome.exe
5776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeDebugPrivilege	1384	taskmgr.exe
Token: SeSystemProfilePrivilege	1384	taskmgr.exe
Token: SeCreateGlobalPrivilege	1384	taskmgr.exe
Token: 33	1384	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1384	taskmgr.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe
Token: SeCreatePagefilePrivilege	5776	chrome.exe
Token: SeShutdownPrivilege	5776	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
1384	taskmgr.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe
5776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 2964 wrote to memory of 4632	2964	SkinSwapper.exe	84
PID 4632 wrote to memory of 376	4632	skinSwapper.exe	87
PID 4632 wrote to memory of 376	4632	skinSwapper.exe	87
PID 4632 wrote to memory of 376	4632	skinSwapper.exe	87
PID 376 wrote to memory of 744	376	cmd.exe	90
PID 376 wrote to memory of 744	376	cmd.exe	90
PID 376 wrote to memory of 744	376	cmd.exe	90
PID 5776 wrote to memory of 5288	5776	chrome.exe	107
PID 5776 wrote to memory of 5288	5776	chrome.exe	107
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 5328	5776	chrome.exe	108
PID 5776 wrote to memory of 1704	5776	chrome.exe	109
PID 5776 wrote to memory of 1704	5776	chrome.exe	109
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110
PID 5776 wrote to memory of 3116	5776	chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\SkinSwapper.exe
"C:\Users\Admin\AppData\Local\Temp\SkinSwapper.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\skinSwapper.exe
  "C:\Users\Admin\AppData\Local\Temp\skinSwapper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff9cd6cc40,0x7fff9cd6cc4c,0x7fff9cd6cc58
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:5328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4544,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4364,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4752,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5284,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4924,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5012,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4064,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3412,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3508,i,8072949032873396794,17112583926636886737,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5552

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
97462dc474b048c0187a846e7337d669

SHA1
e26ea5da5a3ed5b9de5d7988759fc599d59db025

SHA256
3337dd96276809704fad1da893cb3b3b7ae2e14fe6a9a6ff9adaa1a665dc5ca4

SHA512
2d64fa13ab4310f59de7f6ede54c3f7ff2b67d0431490d19b84716a1c167569590a2e1df259a377f787ac6ce7a1fea16545c4f032f07263d566064368504fad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
30KB

MD5
888c5fa4504182a0224b264a1fda0e73

SHA1
65f058a7dead59a8063362241865526eb0148f16

SHA256
7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

SHA512
1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
c0e000ba433093ba3898fba205973c93

SHA1
ec30269b4074a7017e149679a27de7f05b70fabf

SHA256
d50ce869c2dcf986967c63e59f574e3488449cf35943464e259eb5abf4f11eee

SHA512
d33bcb1871bda67df3fb1f7ca4fa690f7fec5c82fbf4b84a17b5f71be03d40e61a5460067e0a11360eb5a463cc3bbe057bb3092acf038f40dea6b3e2c6e521e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
542a4610d754fa59735833a1bf5dff7f

SHA1
9f9befd4d31dff25d2d376bd5df1b9bcc401ded6

SHA256
a39d56f6a534e8eef4260ba8a3ac206b8ae037148549b84d866370a66a61a9ab

SHA512
e967dc6d434e0a3301f1564b4d7406ce6f8a7c53938a4f99273390f051de750dc21dd93f463c866258cd3d9761b5387148f9a95af9bf0e67d03bdf4a0f52840e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
310a379cb09098349f0442641f722fc5

SHA1
bda63ed3aa6a0caefa1e98eeffd6594130612035

SHA256
adce03ab6a0a63f2c80a2c8ad4b8dfc78629509e819e8be4a9c1b09eb278e19e

SHA512
b7049b97078aab9793d95ae80343c0d2a5df9c667dd636dc524b664065e493bfcfa85c857ae8f3a7315f87e3091fe2c8003bba6cbdb38e2f9bcdda8bda8370a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
2e18b75d86e93448c66c10d11a32a30c

SHA1
193d9ce8db4f4b5b582144e1273da4c1d9cfb459

SHA256
d0ef89bfa89dbae0a440d750a691fa72b6a84de574a969a06177e4cdc232d45f

SHA512
6e48959295a419e212c22eb621d41c401f402ca06d51509efe8104ff692cf7158fc1825be3ba467fa63708cfc99810fa1184ba0f153d79d5ca64a326a7720cbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d8395c6d-8f98-4296-994a-d19d343680d3.tmp

Filesize
352B

MD5
9b3f16541c035be129fe78ce9f5bcf53

SHA1
b88dbef5fd018ef9f97458851b03d5dd9f520874

SHA256
a42f3bd0614017058196d7cce53f9212aa7679d30db929c315cfaa1b89c5e6cc

SHA512
44d6543111401ba3f7f5644da89481f561b5b73d2c2d2d71cf947a08ff3aa036c1a613a7181fab6acba6bfaad7c5c498a56b34040365bad42de1958c3615b78e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
043c17108233d94558b2190e02787ff0

SHA1
4f07c56695f47da650ffc56e9c7e205c11c8ee7a

SHA256
6df255f1c79fb9513e3942138f75ee75143f16e33168b6e84b5caf05ca94ad46

SHA512
e24f843ac42daefe0b7b22ae5b604acd7b3244bfd7317e175c3af698ca2d04c2edd3039489c8e5e389d9ae49a46abb2f789dd67f38fee4ba34650f0fa242aed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5fe987da3a1e0cf5a3f9cdc774f30b3c

SHA1
0ce36a90f845bf7375c3d5219c95fb3440046950

SHA256
977e40d5ea5748b6e8f9e1640a85619b9096298a9883e4fa3f2609a31be312f1

SHA512
960212753e71eadf581630d51c6bb2b5140fb77d2cfeb14e5faf409f9a33fff579980cefa0364d2259f2a7e4587c6d3f596a2fa5c53bae55f7b1226d9a9cc70f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3435883d9b76605c905726bdb02eacc

SHA1
030e996daa47580fbc0ee6ca446f9f1ccaa91f19

SHA256
a23692da93b41bc115bce74be83481fb2f3ecc6a8049632efc333de3ca056885

SHA512
3a1f95700c6c7f16c6928029383d5e02af800bf0b5d92568000484b06c58f45b99ec0f006c9cb0e32b7a92c93413e3ebdd55a967b535ccde434f7f7b62ea208a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b704d6ea91b9a49739fc7229ca427192

SHA1
afa1bfd514ea37d4cd8f7abe7c0bbc1ab795f844

SHA256
58e136371bfc09c89a4aec26d048add6bca421f73100b3b6930452d7df153654

SHA512
cfd9b9942621378e9cfe553fa0fc7dc7982cf185b9ec460116af9273d31500163ae806eb1a0193fdd6a2b3f08aedaf782742237f7d6614bbc84622396551b19e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
b3e38b7c56b9afc24765892d9a5faabf

SHA1
7e79eab909899455ddee4ce284aaab964748bb39

SHA256
816044ad09459835bfc72d63a5450f3605bdc089dc83ac316d116bab2f38a27c

SHA512
3e1bbf7195ffad5e4d3acf2d6d02b8d7baf623d20a7d43b702765e4431995bcea74f21db456237c1d4f7fea64a7cca6faf7654d1571fc651baffe8cd52dfdab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
afcacf0cb7e396ad42ed89b1f961041a

SHA1
1ba0e28b9ecc363845bab649a76caa177b288091

SHA256
29c05b00843291e01edc309ae6be4aa1b6008d0d901fd23fbfbc3c05a0afda39

SHA512
4c7f973b16f9072a7479b785aaa81bd01ae56b5299c2aefbc5f71cd7bc10383789c8a8ae04841622a10a36948832c442a0d5179a89a31392941033e765df2630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
fa1328f5937fab7ae07c901b4d5ec96f

SHA1
751ab184b244cef39e75ce135a322f5726e0e73e

SHA256
7556cf531ace88c8aaff93e24b1a27e30667b13b6b1a990a8897b8849927a5db

SHA512
20d9e77cff8e039ed8f5a00b2c711f3db988106e065da05a4cd2aff9e94ecf648dfdecb833d40ec1b044037375629b72bec1e96930b0ae493f48cf4591163d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
e61beb6fe715f42278d57975e990a229

SHA1
1885f52edde39cdc72c9709ca52a64dfd63f1073

SHA256
99b7c73a316fcfcd170f8caac86770c76962502d3a3c7a03feff06af19b10ceb

SHA512
61f67a881ef140badcb53c9eb79c6ac93e9d0b1526d50e0b1232329b4aebb998a383ccba5545d9918ace647da7ee537e2570a697c9a67bbb84a01cc0b68a7f30

Download Submit
memory/1384-34-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-33-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-32-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-35-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-36-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-26-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-27-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-37-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-38-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/1384-28-0x000002A0EAF50000-0x000002A0EAF51000-memory.dmp

Filesize
4KB

Download
memory/4632-0-0x0000000001700000-0x0000000001EEA000-memory.dmp

Filesize
7.9MB

Download
memory/4632-12-0x0000000001700000-0x0000000001EEA000-memory.dmp

Filesize
7.9MB

Download
memory/4632-6-0x0000000001700000-0x0000000001EEA000-memory.dmp

Filesize
7.9MB

Download