030ea9a39d673500d2cdb7f5ba377aa57e535b7327d28a1d84763ca58b72684c

Resubmissions

02-08-2024 22:44

240802-2nrv2atdlk 9

02-08-2024 22:42

240802-2m3k5stdjk 9

Analysis

max time kernel
101s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ItroublveTSCV8.exe
Size

2.9MB
MD5

04d9deab1ba92eecd071d6e47e360dd9
SHA1

73ff84e18d53babcc61699501b0ebc68a1420661
SHA256

030ea9a39d673500d2cdb7f5ba377aa57e535b7327d28a1d84763ca58b72684c
SHA512

738e67e97f4a159e9c376ba458cfb908c9782325ca6d9ebb101a5135335fcb784e4fbe7123dd182b240896153dafeaccb2b165f4f4bf8b2a8ae0b5f21407756f
SSDEEP

49152:/smhnqAs9pJc0dnKh+Q0N1rs+vIUSg+6+8ohnRh1Na1OKM6nYAKhFQpSH3Oh5gxr:pqXpy05Q0N1rsYSZ6BoXh1kkypSH3Ohs

Score

9^/10

credential_access discovery spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4924-18-0x000001C53BE00000-0x000001C53C142000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000023454-72.dat	Nirsoft
behavioral2/files/0x000800000002345a-82.dat	Nirsoft
behavioral2/memory/636-101-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2668-113-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000023456-104.dat	Nirsoft
behavioral2/files/0x0008000000023457-129.dat	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4924-18-0x000001C53BE00000-0x000001C53C142000-memory.dmp	WebBrowserPassView
behavioral2/files/0x000800000002345a-82.dat	WebBrowserPassView

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ItroublveTSCV8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RtkBtManServ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

pid	Process
4924	RtkBtManServ.exe
1524	bfsvc.exe
2040	snuvcdsm.exe
636	winhlp32.exe
1328	hh.exe
2668	splwow64.exe
1336	xwizard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023455-99.dat	upx
behavioral2/memory/636-101-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2668-113-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023458-106.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
14	discord.com
16	discord.com
18	discord.com
19	discord.com
20	discord.com
21	discord.com
13	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api64.ipify.org
12	api64.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snuvcdsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwizard.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	RtkBtManServ.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2040	snuvcdsm.exe
2040	snuvcdsm.exe
2040	snuvcdsm.exe
2040	snuvcdsm.exe
1328	hh.exe
1328	hh.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
1336	xwizard.exe
3156	chrome.exe
3156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	ItroublveTSCV8.exe
Token: SeDebugPrivilege	4924	RtkBtManServ.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4924	2868	ItroublveTSCV8.exe	85
PID 2868 wrote to memory of 4924	2868	ItroublveTSCV8.exe	85
PID 4924 wrote to memory of 2924	4924	RtkBtManServ.exe	86
PID 4924 wrote to memory of 2924	4924	RtkBtManServ.exe	86
PID 2924 wrote to memory of 1416	2924	WScript.exe	87
PID 2924 wrote to memory of 1416	2924	WScript.exe	87
PID 1416 wrote to memory of 1524	1416	cmd.exe	89
PID 1416 wrote to memory of 1524	1416	cmd.exe	89
PID 1416 wrote to memory of 1524	1416	cmd.exe	89
PID 4924 wrote to memory of 1896	4924	RtkBtManServ.exe	90
PID 4924 wrote to memory of 1896	4924	RtkBtManServ.exe	90
PID 1896 wrote to memory of 2412	1896	WScript.exe	91
PID 1896 wrote to memory of 2412	1896	WScript.exe	91
PID 2412 wrote to memory of 2040	2412	cmd.exe	93
PID 2412 wrote to memory of 2040	2412	cmd.exe	93
PID 2412 wrote to memory of 2040	2412	cmd.exe	93
PID 4924 wrote to memory of 4852	4924	RtkBtManServ.exe	94
PID 4924 wrote to memory of 4852	4924	RtkBtManServ.exe	94
PID 4852 wrote to memory of 4212	4852	WScript.exe	95
PID 4852 wrote to memory of 4212	4852	WScript.exe	95
PID 4212 wrote to memory of 636	4212	cmd.exe	97
PID 4212 wrote to memory of 636	4212	cmd.exe	97
PID 4212 wrote to memory of 636	4212	cmd.exe	97
PID 4212 wrote to memory of 2668	4212	cmd.exe	98
PID 4212 wrote to memory of 2668	4212	cmd.exe	98
PID 4212 wrote to memory of 2668	4212	cmd.exe	98
PID 4212 wrote to memory of 1328	4212	cmd.exe	99
PID 4212 wrote to memory of 1328	4212	cmd.exe	99
PID 4212 wrote to memory of 1328	4212	cmd.exe	99
PID 4924 wrote to memory of 3948	4924	RtkBtManServ.exe	100
PID 4924 wrote to memory of 3948	4924	RtkBtManServ.exe	100
PID 3948 wrote to memory of 3544	3948	WScript.exe	101
PID 3948 wrote to memory of 3544	3948	WScript.exe	101
PID 3544 wrote to memory of 1336	3544	cmd.exe	103
PID 3544 wrote to memory of 1336	3544	cmd.exe	103
PID 3544 wrote to memory of 1336	3544	cmd.exe	103
PID 4924 wrote to memory of 864	4924	RtkBtManServ.exe	104
PID 4924 wrote to memory of 864	4924	RtkBtManServ.exe	104
PID 864 wrote to memory of 2344	864	cmd.exe	106
PID 864 wrote to memory of 2344	864	cmd.exe	106
PID 3156 wrote to memory of 3804	3156	chrome.exe	110
PID 3156 wrote to memory of 3804	3156	chrome.exe	110
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111
PID 3156 wrote to memory of 2356	3156	chrome.exe	111

C:\Users\Admin\AppData\Local\Temp\ItroublveTSCV8.exe
"C:\Users\Admin\AppData\Local\Temp\ItroublveTSCV8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6SDcpfIREy9yny5X4BjWdcCnbsJLRsT3HqWFSaQpQt4nZkmO9uw3P6x/MTVfeHyx61SFQTgm72SOLayQLdeXIbeo9aJbaft2mvD7MNkql9gx3X9JRDkPebNAAk65D72Nc=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
    - - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff87553cc40,0x7ff87553cc4c,0x7ff87553cc58
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2576 /prefetch:3
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2072,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4628,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,13199692347175461325,5015126459846011952,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:3404

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2190cd950a9fec6d9646157660b0fe65

SHA1
1a9501f9f3a80850026beeaebf7043a8c99e20e4

SHA256
d602a5332c8c4bea3af59af84b02ad920c5ad96d97a84ae59293650b4605fa35

SHA512
498a180d95b7640311197b60e7992f63bf234ed0b88da6d9d65319c5686fa1ea6cce7cd2b9e03ad167481b4ac3d99c954b8c01c9b7bd1332964104ea8a84d9b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e8d5baaad4145c7eae93eca59be5c5ae

SHA1
b3cdcffdaaa30e581183abd59a3a5cad303da083

SHA256
8a960ca343756d3ec371c6b72fd1f6d6f58c51d4b739c7a4c9cecb631fe1d3b7

SHA512
ab144c646d42e08dd1c8d621de395e05ec533270d26a5579943795fc6d33529fd04f126dc675c11b13cceefc915ba44b36b2352c25597a650530507f52817aa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
08014caeff2dbb5b42ee8ba5239b0a88

SHA1
984a4cb1c52bdcd2f8901ac5db68907819784ec7

SHA256
4d26020621f7a5a9f2462424b8f6f1483d1bd74f5840bb314bfc138e23a66f3a

SHA512
43b2d648ebb197a1015546f0740bc8f7748e1d3824cb2e9c33b2310c5d12eddc9c3ce47530071e70f9fac8ed9c1a54e8c7487ea4b22eab236c563b5682c24f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
a19cba1af4f60c6fae74b153a03b7910

SHA1
81fdb341f021369bf20b1fb4430815d5333466a0

SHA256
b16755c97e4c51f66515801f538e7bc37cf9fc41f7716c337517b06a00f1eecd

SHA512
817667572840da6d9461dfdecff52fdaa355a522a56a5f7e01617cf9071d381f99a860d2a8f5a93666c5eeb701d561d54aca277ea2e655ca0d61dae7070adbb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_History.txt

Filesize
6KB

MD5
7bb425fe37fc1217331e0bd6a1e5056e

SHA1
17561af3a31e1948ffbb2488e2faa3594743acb4

SHA256
960a64aee66e6e83da835f36aba193db0a95ed778fe398bdc507e326456c9e1f

SHA512
c9de84cd4c257f806d4cbf82f61aa22c6009e39febee6778c1d0b893e7a6405b3a1e40a73dd9cb797ba4407e33d8a5ad9f6b26b006c396afc6943717f5b454fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

Filesize
4KB

MD5
c0ab2847671ed5375328c5127a02cc72

SHA1
dc2bcb51562fb17e5c8787833bc0181d88a5b75e

SHA256
e961f466a0638bc99182d0056245e2d8bf1ccc13a189b802aada981f379e2384

SHA512
0b8b634d21ac71e02cef86687bf84b6fcecfd24dafab8130f42ce8b4b3f308a2e1b1fa7bf8d37f2eda76efae2b30b8d39f41d808d771562d8545ed144241924f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3

Filesize
15KB

MD5
11831515fee186b45239e6dd247bb2b5

SHA1
e80a2d3c5297f15e5fac609cac948f86cf394fa6

SHA256
309f386f84c15d06084f22f2b0822a7296d8aee4d6f731e72cc74c40350562f7

SHA512
30c8521687549107044b18ff020ad79727722bf3325444d316ce32c7e75b966a043a07a7c168635d24de63a2a61272764d191ad5dbd13ecc9d575dbef2b9c6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

Filesize
529B

MD5
5242530a2b65089696f3cf8e5ee02ff7

SHA1
d604293148cdd953b3368c54920c043cffe9e1c1

SHA256
239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

SHA512
7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhvBEAC.tmp

Filesize
14.0MB

MD5
ae5d2045d7000116b1764bf522b626e0

SHA1
e9eeee55926e719a123e6730ae7d8c599847f592

SHA256
0ab670b484eeceb9eec367689e0b90b100e9f2724387b7f4dcf3e166a989ed10

SHA512
3af7f459e9c2226728770ca88637116eafa8b9d4c40697088abd9fcf8b55015f0f85f2a397c34fbbdfa48b42e5bded27c535d13102f4ec6b79652d3ed7183d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs

Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
107B

MD5
5cf0b95f68c3304427f858db1cdde895

SHA1
a0c5c3872307e9497f8868b9b8b956b9736a9cdf

SHA256
353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

SHA512
5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe

Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
memory/636-101-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-0-0x00000169810E0000-0x00000169813D0000-memory.dmp

Filesize
2.9MB

Download
memory/2868-15-0x00007FF87A560000-0x00007FF87B021000-memory.dmp

Filesize
10.8MB

Download
memory/2868-165-0x00007FF87A560000-0x00007FF87B021000-memory.dmp

Filesize
10.8MB

Download
memory/2868-164-0x00007FF87A563000-0x00007FF87A565000-memory.dmp

Filesize
8KB

Download
memory/2868-1-0x00007FF87A563000-0x00007FF87A565000-memory.dmp

Filesize
8KB

Download
memory/4924-57-0x000001C53CE00000-0x000001C53CE1A000-memory.dmp

Filesize
104KB

Download
memory/4924-56-0x000001C5236D0000-0x000001C5236DC000-memory.dmp

Filesize
48KB

Download
memory/4924-55-0x000001C523700000-0x000001C523730000-memory.dmp

Filesize
192KB

Download
memory/4924-22-0x000001C53C240000-0x000001C53C2F0000-memory.dmp

Filesize
704KB

Download
memory/4924-21-0x00007FF87A560000-0x00007FF87B021000-memory.dmp

Filesize
10.8MB

Download
memory/4924-20-0x000001C53C1C0000-0x000001C53C236000-memory.dmp

Filesize
472KB

Download
memory/4924-163-0x00007FF87A560000-0x00007FF87B021000-memory.dmp

Filesize
10.8MB

Download
memory/4924-54-0x000001C53C190000-0x000001C53C1B2000-memory.dmp

Filesize
136KB

Download
memory/4924-64-0x000001C53D120000-0x000001C53D13E000-memory.dmp

Filesize
120KB

Download
memory/4924-58-0x000001C53CE20000-0x000001C53CE52000-memory.dmp

Filesize
200KB

Download
memory/4924-19-0x000001C523650000-0x000001C523656000-memory.dmp

Filesize
24KB

Download
memory/4924-18-0x000001C53BE00000-0x000001C53C142000-memory.dmp

Filesize
3.3MB

Download
memory/4924-16-0x000001C521680000-0x000001C52195A000-memory.dmp

Filesize
2.9MB

Download
memory/4924-17-0x00007FF87A560000-0x00007FF87B021000-memory.dmp

Filesize
10.8MB

Download
memory/4924-59-0x000001C53CE50000-0x000001C53CEF2000-memory.dmp

Filesize
648KB

Download
memory/4924-60-0x000001C53CDF0000-0x000001C53CDF8000-memory.dmp

Filesize
32KB

Download