mimikatz | hxxp://38[.]55[.]193[.]31[:]8080/

Analysis

max time kernel
116s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://38.55.193.31:8080/

Score

10^/10

mimikatz discovery upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e531-79.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1920	星号密码查看工具.exe
3568	mimikatz_1.exe
1184	fscan_self_1.8.6_386.exe
4328	sc.exe
1248	npc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000000705-192.dat	upx
behavioral1/memory/1248-202-0x0000000000400000-0x0000000000A98000-memory.dmp	upx
behavioral1/memory/1248-204-0x0000000000400000-0x0000000000A98000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4328	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	星号密码查看工具.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimikatz_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fscan_self_1.8.6_386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726920578003574"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4360	4440	chrome.exe	83
PID 4440 wrote to memory of 4360	4440	chrome.exe	83
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 3364	4440	chrome.exe	84
PID 4440 wrote to memory of 776	4440	chrome.exe	85
PID 4440 wrote to memory of 776	4440	chrome.exe	85
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86
PID 4440 wrote to memory of 4060	4440	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://38.55.193.31:8080/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd99e7cc40,0x7ffd99e7cc4c,0x7ffd99e7cc58
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1232 /prefetch:3
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3024,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4688,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5192,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5148,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3076 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5540,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:1008
- C:\Users\Admin\Downloads\星号密码查看工具.exe
  "C:\Users\Admin\Downloads\星号密码查看工具.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4460,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4800,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3060,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4684,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5852,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5440,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5868,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5792,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5712,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:5112
- C:\Users\Admin\Downloads\mimikatz_1.exe
  "C:\Users\Admin\Downloads\mimikatz_1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5736,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5944,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5304,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:640
- C:\Users\Admin\Downloads\fscan_self_1.8.6_386.exe
  "C:\Users\Admin\Downloads\fscan_self_1.8.6_386.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3068,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5936,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5600,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:2648
- C:\Users\Admin\Downloads\sc.exe
  "C:\Users\Admin\Downloads\sc.exe"
  2⤵
  - Executes dropped EXE
  - Launches sc.exe
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3312,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5364,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5264,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:3488
- C:\Users\Admin\Downloads\npc.exe
  "C:\Users\Admin\Downloads\npc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5204,i,8967320496512851432,14480409248507380239,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:2408

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
547f273c7a6fb894782d4d969abf017d

SHA1
7096d0ad112acd0c1d9b51566131a8a37845e9f0

SHA256
217262d764319957bb089774921654b2cf47f64330f7b4cfec3318eb1a3526a0

SHA512
eb0fc8661b21cf5973853d904286b86b8d70a4bba528703ac0ee27b04df7854423a8a691e72c11f085b72187685160b89574ab03ab00c799645db87b60bab1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
961B

MD5
075604fd006815bf7ec37dfde85afe9b

SHA1
3083b952fb94fd17903a7c7c7e7e47b25ac85450

SHA256
594187459c7726480821fe884cc05b1cdc2cbec5b182cce54cca2fe4516a5198

SHA512
cdf4b8092d239fc483a34b328f1209bb8cbd0d98b9d4348f7fccc4fcf97a9f1eb672377b79890a51988f7ce559472bf263f88283771d1ad9a9ef13eb4917eee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1624af5ac521f090bfe07df0ed54a815

SHA1
01cc3bea0e3d2ae790afeb2619eba4b09bd5801c

SHA256
d53204da2577f93a507a308f7b75b1f1074969f8799c0cd7fb9ed370d63f1479

SHA512
ac3e828aa18e57799551a073745c3e7481afb0112f64c8738a2b4ab16faa56e0cd284e8d910707ae45b46d25be0e4ec3e5cf2dc68f27faf82f5f93cb0a64ea52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9f9309170f0ca8f38ad7b5e983c8767

SHA1
80d8d9702fb8f9f1b4de7083c18fe933943561a0

SHA256
11bc94a0195239909aa57854d3c29ff16e2ac2a0d3cfe5a4de2ac3d3ace2066f

SHA512
bc744c605b89e352b0d061526ddf6e614695b37507c4dca4e3d145efc55d2c2a4c603b9b29ed81e09cf4dbb521cb4c3a866f493bfadde0b258b49df1f5ac6cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28b0b597cd2e40f4670b254122915556

SHA1
67bf18ae7cfb6a52ba35711ac43a9e2885fd92c6

SHA256
d9a97b9dda33902117132109dc7b80e25cb532b2b82f5d947c332803ea4b62de

SHA512
8b6d28c3c68de6dac57599bc47403615273d2d6127de1a6c3def0db1cb94844a6babc97a80c0f6d9babc9981360123a075522d02345ffba8e20bad148b181a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66a83d9f0f24007e792fd3c3a7893d07

SHA1
b27511ff6694e6a17bb78811b078261bea80738d

SHA256
6c2fd95c00b6e8b7185a3efffa82f0b52aea7adea51cd70725e3c5b22c6762f3

SHA512
9e5b6e115b500f12764d8d62b470711b6aba1c4f2abdcabfa53866fe2389b589f348eccafaf83b46b91782e76d6ad02df5ac40b5528a0c5116b63d6d53a4bc4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
03bb27402444f55d26c2352ad7b2262a

SHA1
e1e2497b62582311893ba09e83aec7eb5aa11770

SHA256
00c8586b65122106cf44cc315fd165eb4fb6177a264b0f3923786e949b37f3dc

SHA512
1521c1db4f998af149a68bc80267b551e21536b572c66ae25dd3c1042bfecc056dd7ad254f907a1692bb5d2cecf0d9bd3c2b18271ab634973c81a088887f17d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25caee7a0c9f32bdc33df583804eea2e

SHA1
f5161795b7e4d31b54ba6f4e420f9cfe12f7fb01

SHA256
16aa1494cf28fd832d89d9fd030b42bd50194e88604aa28c4651c3d93e98bf1c

SHA512
7236efa5b5242272ced55e338851534be67578c8971b2e7c4d5477b960a4a497585e58a7846863cd19d61225be0759ebfb10a0af462cbe955417042dc45ecc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08d4a69a010c7db27a15fb11f4225fa6

SHA1
8729bd7a5ec02d9ad552b0faa4f7cd4f85bbae24

SHA256
53acd5ce7ab2529237a087420bceb673323a9d1dd9de679cb4c207dde9240bf9

SHA512
ae5ae9275f4394c37ee7b42eea6d849cc5629f2a9a0fa64111c1ad4670f15cbf242edf003a26b4a692ddb47cf5a7f6efa164327720edd81baefe40239587a3b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30ff1cb9a7f282dc20593ca4a9805e86

SHA1
2a99aeda272308941a59093fd35d17245e99762c

SHA256
efbc1b3d019cf08d7e43a2c4c7ad64951810ecce20e6a1e1185b1d73421b7476

SHA512
e78d7dbea503ec4ac08970ec8ef250c791733024ec38dbedc6f7f1eca6c993511f234016c5734152b743e24ab098e744492eba3735d1f94e1816de2c3818f988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
807b50b5b9ca895fc81e495016ca9a9f

SHA1
d4c5bbac49d24e6411df286ab2fafa5610903313

SHA256
c7cf06c52a38cd3e3f88e2b5a672274eb34d793bdc3a476b33f581008914b752

SHA512
58d2f9133025178c24f47c40e245e0dedf1577595430ccc18a3345394a538bf0c647deb34c783b7c07e71873cfbace9a25bc38996dc149d9f35196b668712607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
80d91580358bbe90ccd64c5116753d02

SHA1
6dea5c3f00b31c75411308a90801a88092e5a507

SHA256
7e1bf10121ab404fc2ab27ddeb9f7b8dc8f35a466f2533357c62934c03ac0f30

SHA512
9311436936c2701f3217d66e0b3f9128532e78d41e35367d799522fc9ba8d88ca0b6526d8d26217c364d9acbe0619602d08938a4bd3c811620ec49d59c16f16f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 199475.crdownload

Filesize
19.7MB

MD5
7784b05fcd6b1b0821decc3624578acd

SHA1
f9453468a7d26dea3157f9ab556f557605fa3cc8

SHA256
0df81e98576e9952685a5b0160da2dcef2616984c95982f44b41162e571bad56

SHA512
f39b60103180e7b339b9e891e2f9061591f2bd2ee7d17b14d81922b2d7b51b53759e66232a5883d2963049677a1aed538a0fccafdcaa461251f864c5213dce11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 239889.crdownload

Filesize
602KB

MD5
63cdedcf3d850fba4b063a02dd6ae8d9

SHA1
df05c7d07716bbc49dcec5d9f84aae6901629e6a

SHA256
e012cc55ae16791aaee9ba07a0a9225d832497912bec500fd2244ad6c99667a5

SHA512
61c0339d751996739efe68cad052d55258142864805cc31d77be27ea310e0d168807fedf619c9e247a8dc35980e70a4f2c055d1cbcfc2f3de4d628b983df4676

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 430989.crdownload

Filesize
2.7MB

MD5
11328d645b2248a7adc51a0eecf4c66a

SHA1
6a571bee1f6aaaf8981e191bdcb6826addbdc379

SHA256
e1757787b664c15286c1eb9271a6b1edc9a235c8790eda463fb3bbffbf31a57d

SHA512
b962f7fc608cc51c7e1edf3f50a5fd35b97231a90900f809f87c101de7fd54c250aadc03b25918a5d3ba4db2f7820ed41a40d97bf6b5894ce913604f4c5e953d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 810683.crdownload

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit
C:\Users\Admin\Downloads\fscan_self_1.8.6_386.exe

Filesize
28.0MB

MD5
3915a1486d5e856785978596af940179

SHA1
d3a2f5098b1ffe722e7f216c536b835ab939fcf6

SHA256
f9e2f4c8dfe2c4583d2867a290da16feb61cd4c5af027f2604deddbbefad28e8

SHA512
42ad1441b135c9e926d817d54048e25918f6aa0d84ddc7e690671b62e2c07d9162c534cc3fc78098408cb83061ab464df656055442a9f8f3e992e53858b89c11

Download Submit
memory/1248-202-0x0000000000400000-0x0000000000A98000-memory.dmp

Filesize
6.6MB

Download
memory/1248-204-0x0000000000400000-0x0000000000A98000-memory.dmp

Filesize
6.6MB

Download