purelogstealer | c4174541aa2cef599aee7a376e5de3393446f0018a850fcf1c6658da9692bed5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bot_start.exe
Size

197KB
MD5

9c29f4415a735c3d9ee26ca06385d502
SHA1

127b2d6c2e63bf3ff6fb8fb055a272e088fd851d
SHA256

c4174541aa2cef599aee7a376e5de3393446f0018a850fcf1c6658da9692bed5
SHA512

ac2cf91b4ef1dc72c10d5affa83305aa011b733ffc7ce10b87efe8e91d2a9dda72a52a3806f8a20e6bd02a1873677d74a793d5359c8e235bf64fdd23946927d6
SSDEEP

1536:cHc9JW77pHtDEOFYPUh7N9H/sPafochTLZ61tISqS9HwRXBuS7pR72BfLJFBLbbI:ayy9HwSLZ6vTjHwBBybvIJe9

Score

10^/10

purelogstealer credential_access discovery persistence spyware stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1888-1-0x00000000008E0000-0x0000000000912000-memory.dmp	family_purelog_stealer

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 2 IoCs

pid	Process
836	sWsmPty.exe
2348	VC_redistx64.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe
2348	VC_redistx64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bot_start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699061182758974"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	bot_start.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
1888	bot_start.exe
2768	chrome.exe
2768	chrome.exe
836	sWsmPty.exe
836	sWsmPty.exe
2708	chrome.exe
2708	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4700	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	bot_start.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe
Token: SeCreatePagefilePrivilege	2768	chrome.exe
Token: SeShutdownPrivilege	2768	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2348	VC_redistx64.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 836	1888	bot_start.exe	73
PID 1888 wrote to memory of 836	1888	bot_start.exe	73
PID 1888 wrote to memory of 2348	1888	bot_start.exe	74
PID 1888 wrote to memory of 2348	1888	bot_start.exe	74
PID 1888 wrote to memory of 2348	1888	bot_start.exe	74
PID 2768 wrote to memory of 412	2768	chrome.exe	78
PID 2768 wrote to memory of 412	2768	chrome.exe	78
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 1340	2768	chrome.exe	80
PID 2768 wrote to memory of 2244	2768	chrome.exe	81
PID 2768 wrote to memory of 2244	2768	chrome.exe	81
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82
PID 2768 wrote to memory of 1324	2768	chrome.exe	82

C:\Users\Admin\AppData\Local\Temp\bot_start.exe
"C:\Users\Admin\AppData\Local\Temp\bot_start.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff933499758,0x7ff933499768,0x7ff933499778
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:2
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4060 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:8
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4820 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1684 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4796 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4756 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4000 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3928 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3244 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:1
  2⤵
  PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5452 --field-trial-handle=1864,i,3630365081532325311,11047457891169610664,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0776359d220059b4_0

Filesize
19KB

MD5
d6cfce6ad3b49d2763a8e929532226b0

SHA1
2bd0164854286f8afcfb5400fc34fccbe00966c5

SHA256
2a09efa3dde6a4e7b1597f5ef19e08da7b4475f5f8dec562301f3723481d3a3e

SHA512
8c324835d95a19ab719de2132a904a5c211c4b999e2fb15f885c38ef9f4693d2872286ecb3d80c522b29d8db30c57583b2935a48c8f5e6b2b45cd20ea38feca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\212618bf0fe89965_0

Filesize
280B

MD5
4b6f2b34e107469fb4204008a7469286

SHA1
69a19d986f04fa5d8d988c7d9c5ef93794fc2b09

SHA256
99131f9ba5010b3bd959b2d4af05b896a29c96a1272b5e6b1ddb2d18fb3eef3c

SHA512
e49b1e23bd252b5a07f758097a3215c9d34afe18522924aa876af9d647d2c700c22661128acd9d66bd6a1884e16d621b1d92dc97bf25da226663023573139513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
1f96812e4703396dd0c0e2c97682f31c

SHA1
296160b50347b665dc322a61747201fa580f52f0

SHA256
c42a678f1d0bf3ee6bebd59c1057040e1c8d03b8fbf8778a4aa53afa23d93735

SHA512
d54f5294dc66064179d982be270c5e0f975ba051772acdb9a011f4952e6b6e45a50e434363c56772cd2e5bdef01281c326224f352956064b0626fdeb741933bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e82ba1be0a52902eb7634999a1da621e

SHA1
632ed81f02123c2c543a5bda870c9baf5593fad0

SHA256
359779ec15b25185c27a5cd38adee6ac4ee74b6867a0f82658af8d60f94c8ed9

SHA512
6187c86d28844c93fed1a9f41f56a5139f69908f1d6cf1768f596e780adf3248e887faded03ed92efccfd96d2a611c29fdb90ad024573489d5c5d0b85783629a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
aff0441f64a9778c5ee6424a1a187b50

SHA1
bc3d609383531c76dc32e0249c79a88a0463fabe

SHA256
e30b0a5df6f52b1df521bd063252cf277b109983226e01ce2600ed7fb5e1dd93

SHA512
9b9f4e85e1e63ae8f898ac4bbeaed1452c503129cdbcad2b114e7310ebba04ae574bd047351aa2a4bf4fd53e8d4751a036878ae56df9f1f731c2edcbe58a9772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cba15098c288f3f7db1dee884394286e

SHA1
61a0173a441ce069d015a187b5259427bfa65707

SHA256
cad1583c92b09a2f47f47347881e09cf9dd37288cf5f15fd48987866c0c0fd70

SHA512
174cc214bef5f54f2da0c771bec336b61dced597b6febbb7ec258096828619102cb8012a4d074699df3065416d306d2f783678a609e159da00cf7fb90a3aaadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b66a1c1ed7df3a87dba1252fa601f0bb

SHA1
ba1a14fb153bd6870ed654d8365505f16a19a7e7

SHA256
24703b35e1a0c315e432bbebc60e048a307c3ca50f5c3d639dc0293387601ebd

SHA512
f4a7592d4ae9816a20dc64946e2b382e39172d82d957bf29916982209e2e4fead8d62af9ac8152bbfc5329be56c0a12ccf2e3b1e1d77c792fa8609bfb47c8ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
8cc932b00d78bd25da93c7cd25af6afc

SHA1
7db3bf967ab73e57c47d3143ad4cde1fbfbb22b3

SHA256
37fb308b5f41903e0e1b00ac8d5ccaff1c264e2bca4629974d9212d1a40cdd0e

SHA512
81597a24e344882ea32ae7e2b2825847788630062edf72ec16d3f8fc6dfdf4650b451209ef1a752b76fbab9eb9e0e358949045735581ffd69bb87b934196284e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
e895a0db60854b50851152d69bc4c621

SHA1
a011ac8566ce3ecaac1f3e3337be4069fae737aa

SHA256
d1ccf277d3cc138ecdebb2a7ab09e99828a11716b08b88dc9265cb5184db68e6

SHA512
7fd0558d5243a06f6855627630e84b29add7e63b3cf332a19243545510bc2ad09c9744afa12ec2a7b3fb503e85863016c00e1c947d23a0b33df0eb6f3d212afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
eec76b5bb194f4bc74a777b4d7043876

SHA1
178286c94b6a9afdb1c3704b5138620fbe09376f

SHA256
101652e9d10cac4cd1fbfbc95e30600be6cbe758f470891afe3e3aa8749df5cc

SHA512
d6c055fc53187e0b7189fc736bda7762d50d6ea3661edc841a1e065eb86e08ec87b3beddc4ce4fc546ed040ff9f0be1452dbe58e00c55b7e3c18343aeaea71ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
36b9ef45b388b3701d25c75ce73955c3

SHA1
cf51a863675b367a9ef9b0bf62e8efc3e8df0878

SHA256
3b0db37be42dc16f9f39a83fdc5bfc1f2919a8f1bad0719fceece604ebdd872d

SHA512
10431faaa3925a2947efb3ba3095d188e56d00382badf2f8ebf93132c374b5fad51f9aac125c33238e1ea13b072874b475b7d94e6add42fd21251dcb4306f7c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7a0bb96ea4ef36386ab493eda3c1ecac

SHA1
80fd0bc46a53c27a3d01f96c2ca6d093d46c3207

SHA256
a38111daf2b9948e252ce621c4a6747ad855541aee8072801dc9bcbfedf77cee

SHA512
54086b45ce775a0e2f7bb27580c94f432df2edb3392354b03e2c7f0a819680f81cfc46e8439f9851b3dce0dca270b260e7a25d6910a941dab3f834d73a1421ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a815fb1c8ce99c01ae5d12fae8a886c9

SHA1
a4ed34d6cd0865db899572ee680db34595d810b5

SHA256
cacc81fdf8cfcc8f4b05265cf81e11c3a4a2fceaaae0c2c9d27d3b1b78ade993

SHA512
f37e0895e3c4af1340be9d59ad56e276a02fa4a48e53152990a49e12e869574a212597561130a35fc486f809c893b96d5030624c70cce1b3869df8e8e90097dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e31216429c7924d3d2fee8bee495b151

SHA1
571b7cd09eac7c89d041386adb7f60f9dcb2f7b1

SHA256
c4563d9eb4d1005b110414a5fe77f3e33a432dfc9d7e099d206b26f7ba7bd156

SHA512
56cd49f19351e44fea056ef37735a5b3d69dc45e7c0729bb14e7ee850551bb8f9fb8b02b302f009e155584b69aa4cb322477e17926e6b670173a6482761c7089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a361f65edfe4dd7de4a7f076107bfe3

SHA1
ee1a602fe2694ff05d68f7c4c6550d1b0ea09f25

SHA256
73906d6e9fd8889e560b743193dea715b5e06839c8fc1b79a392fb1bad707d6a

SHA512
1a956f8ba70f7d5d1d0e2c7e5cf2857967b0d73901cab7c893755900b2fe5c54aea858f9e320024f6390e119fd8a0a4658a288a401c725b23a31490fcb1de950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
5e772398753ff9acf9eb5c3b32a07de6

SHA1
07a3ec3450a1d78a82bd88060af3233855469aaa

SHA256
16369c9d34c59840babb9ba86de5a54894493ba0f56b37dfe7a6c66e5acd430b

SHA512
54b1581160714bbe80a31901fa09633ef9917be21cf89ded42c5ee309ee92ec509b30153f10b3095a893404a274717c045bea97914910447661364a6aa813e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
12d7b15fb73aa0391ca453ff9d11226c

SHA1
7d8d1fd8a41cfc1df3d9554f49153c549f9ed37c

SHA256
818b7edc136847c4131f9fe507982ecbeba560808f21e9107c0d5eab64f4b25e

SHA512
76b910b6b426d3aa42e4fdc6b0b9870c204cc55bcf56159ec85b7017a73b4d944525b6bddd93c44ab4f9c36d13c2de580f85204b54c891d2d1a5a26227f7c93b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
054c00e45dd94712b82e06a272e09164

SHA1
5a5ef56fc7565e62a70d0af9b5d9e6fff1c043a1

SHA256
dd6df297ee21d1799def558bc9be2d1c0da23328c1f692779d5cf7c756d7791f

SHA512
6621b9cfad676717902663f23497a1eee25d8a7a4d2d0f9b5315ac9689ea704849a9e70853f069f9a8873f1a3e6859e8a2319f8b34f21c7b7a6c35966e40f2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

Filesize
2.6MB

MD5
e68160008e615b318fbd1db024939c5e

SHA1
3c1e66cf3b46fca3f08df5947a233bc020acaee6

SHA256
d3440651a12b749ba2ca2d424ff435258d201d9e07204a4198d6c28af342aa42

SHA512
5e8bc0f17b8a5870b613461b17a607ec780828a1bc378878fac775564e6953528df41d746b97c57c98cb287a6e7d9e819c7e8ba63b6eba73a47b971f1710dcdd

Download Submit
C:\Users\Admin\AppData\Roaming\sWsmPty.exe

Filesize
2.0MB

MD5
478124644da5f82d2c803238a413cd96

SHA1
021cb64b46517b8efca63633776495a25b0a525a

SHA256
33083ee177bd4115c68c1ef987ab692855fbd1b621a852239a125a32a8775d1f

SHA512
7c14360dc7ddaa86028ed61a03d9610003d041ea431ffea79b6bf9541694e723ec01b603f5b8d5a26056c08b46573dfc199d6c0457ca4a10636dd33786034dc1

Download Submit
memory/836-43-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/836-70-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/836-118-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/836-130-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/836-38-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/836-32-0x00007FF647D40000-0x00007FF647FA7000-memory.dmp

Filesize
2.4MB

Download
memory/1888-0-0x000000007385E000-0x000000007385F000-memory.dmp

Filesize
4KB

Download
memory/1888-20-0x0000000073850000-0x0000000073F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-5-0x0000000005AA0000-0x0000000005F9E000-memory.dmp

Filesize
5.0MB

Download
memory/1888-4-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/1888-3-0x00000000050F0000-0x00000000050FC000-memory.dmp

Filesize
48KB

Download
memory/1888-2-0x0000000073850000-0x0000000073F3E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-1-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/2348-40-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-196-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-222-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-229-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-236-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-188-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-177-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-160-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-131-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-268-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-97-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-71-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-39-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-302-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-16-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download
memory/2348-314-0x0000000000920000-0x0000000001375000-memory.dmp

Filesize
10.3MB

Download