stealc | 7261d4b797dbbf5cb8c015beb343ef7f95f1183553d34d11b5a620ee34c80ddc

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r6_external.exe
Size

3.7MB
MD5

6b81f9f9d69045ba2ebb229dfcd42554
SHA1

d3ec868616014de922e1e8fa77f0fd9e19e72f3c
SHA256

7261d4b797dbbf5cb8c015beb343ef7f95f1183553d34d11b5a620ee34c80ddc
SHA512

c618541f8534d60522c1ead509e2682d511bf749a4221db4b4383da294d8fa807f334c30f4a8b66171a2345381067e5cdb3b79eb72823bb78842b611aa96cc63
SSDEEP

98304:TXJFZkiG8LhDN7S8bPDUUNiAcN+KK09tpC/Ms:TZFSEB7S8bbUUEK0k/

Score

10^/10

stealc game credential_access discovery evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

Botnet

game

http://193.233.112.44

Attributes

url_path
/383ccd496f3c5eee.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VC_redistx64.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VC_redistx64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VC_redistx64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	r6_external.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 3 IoCs

pid	Process
2904	gWsmPty.exe
740	VC_redistx64.exe
3152	r6_external.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	gWsmPty.exe
2904	gWsmPty.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000b000000023baf-19.dat	themida
behavioral2/memory/740-31-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/740-35-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/740-34-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/740-129-0x0000000000400000-0x0000000000B78000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VC_redistx64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
740	VC_redistx64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gWsmPty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gWsmPty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gWsmPty.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730385870690915"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
740	VC_redistx64.exe
740	VC_redistx64.exe
2904	gWsmPty.exe
2904	gWsmPty.exe
1732	chrome.exe
1732	chrome.exe
2904	gWsmPty.exe
2904	gWsmPty.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe
1700	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2904	1988	r6_external.exe	86
PID 1988 wrote to memory of 2904	1988	r6_external.exe	86
PID 1988 wrote to memory of 2904	1988	r6_external.exe	86
PID 1988 wrote to memory of 740	1988	r6_external.exe	87
PID 1988 wrote to memory of 740	1988	r6_external.exe	87
PID 1988 wrote to memory of 740	1988	r6_external.exe	87
PID 1988 wrote to memory of 3152	1988	r6_external.exe	88
PID 1988 wrote to memory of 3152	1988	r6_external.exe	88
PID 1732 wrote to memory of 3660	1732	chrome.exe	93
PID 1732 wrote to memory of 3660	1732	chrome.exe	93
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 536	1732	chrome.exe	94
PID 1732 wrote to memory of 4492	1732	chrome.exe	95
PID 1732 wrote to memory of 4492	1732	chrome.exe	95
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96
PID 1732 wrote to memory of 668	1732	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\r6_external.exe
"C:\Users\Admin\AppData\Local\Temp\r6_external.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\gWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\gWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Users\Admin\AppData\Roaming\r6_external.exe
  "C:\Users\Admin\AppData\Roaming\r6_external.exe"
  2⤵
  - Executes dropped EXE
  PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff952a1cc40,0x7ff952a1cc4c,0x7ff952a1cc58
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2564 /prefetch:3
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5212,i,7655860943709961536,7936566205302926492,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
4984d14b0c8fd3195959c7eabe35d883

SHA1
cf5852b73659103e418b1e5e0ca898aa1606b0eb

SHA256
a1d43485175ecd4770d80509fa2101565d88dce1f459d170bc141c8fcfa7f96a

SHA512
2f1dc2d471e9ba5f9cdd1515cbb8b156c57cc7ecc700ad3d275c20b9f279a6f5b5976b6cacfd95640279193d8e3a2801d6aea4fd32db55c4f45d6fd81fcb0657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
da418edf6cbaacc217069dcbffdd9849

SHA1
7e652ca33186572248b700737bc148be582d4157

SHA256
f4726a8e841d2650fc87da132ae2515ac97d0a14a1bee34bbe6597f6e14d9b84

SHA512
706c31e9ec7aa157b8558908b2a3da498c2c339b51ba06fb85607b10f5182f2842c9ed0917e0d0e886800393324a617001523adfc35bba552d0c57de4c2e29fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
d03af05e0026750ec17eb8720a562180

SHA1
aac165c99fddb440c36405472e6b7640e4f0099a

SHA256
68c35f606cc6873b2bb824d64edb382f3e83f05dba8a437d1db6150bd47d9cad

SHA512
9cf4ccf87b58810b06e7c10bd7bb9d56e42dd3ef923c5ea6b2e5bcd48f54b97dffb6f71bfc0a76e68954428139a48911855cf71815e2f81120756e3598a815bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
949f4255e358172daac5c7776f159c61

SHA1
1d19c8b85d4159f45f764c3da34550b348c0a76f

SHA256
b49ea009c3508050c3d1aad89366720eb47f96cec18fa52b996b525283a74ca1

SHA512
6d439af76c2db97acdfe049df8e7d26354cdaf5e6ab498acbe082003f30eba132f22f30e694e3bb961bd6550f7c1c5070197003de37b5671f45744036812a59b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
a1ff6ffd5e5cdc67eec3c9c7366d1906

SHA1
520145b3351111bb802334a473cc75a2511e7841

SHA256
d1879a9b471db62224c33b31a613767da6f3ced49392416e6f9d4de89352e54d

SHA512
adf2e88cc58f1c8f9d1e4e2996d39b240d73bd404f7cfb354ef225660db819b5969d9834c2157edf8476500ed799d8c6bf09a642820993cab9cb6b4a081fce2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
9e965ff47419a10b872801632d35cf60

SHA1
b864b533c651d67c339f85b62dbe70863fdf16b4

SHA256
bc1a4cb9a7fb85b0406711600a5c3541b7e9dd3b8f2c5fba7c05e55e38bfee30

SHA512
853c85ff6084d7912089640cb50dfbd1337153885b94cc7de994360421d850f8b91836d1211166b7995e74b62f38f3be0888ded0d118709374af2bc6efca236b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b840b680a50d4aced0d9bd5c57f0bee6

SHA1
9aab7d6c3ba9128be30b3301c9f041397ef8410f

SHA256
2325b618a4773d58ea1101a226be616a8f325d6b5b82250c898ffd5e3d15cba7

SHA512
adc6feec748ab7940bf92a780b0f54c065fd2e5a328306c6d91cf6a09c207747a841a3c143b19a682e0590a58cbe49d4992787ca12d9e455acdebb74c0eca553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e410b30748bbe5a04dfb44b6b48ee855

SHA1
03028610d99560fe5894eb427ac3fea174d134ed

SHA256
e61db9d0721a70afa378d93df11a7ca8c19135380179e935ed17956421b5f8e6

SHA512
09eb90c86b4317dbe6eb66158572b9f7b9e24ecbe199430277b36c2d8cbd3cbbf315955ae000efe478347f3da29256a097be2d8fcf22e53e5c4e2fc246b6ad13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ce2050371b29027694fdd9818ee798f2

SHA1
fa08fe2c7bd1f9b1cadee1051bec4e1aae5474ff

SHA256
a3b740321d954ac99325ad1e2b71c6f4fffb57efc3c9c8cedfa6ff853aa15fb4

SHA512
ee670413ef2aeecb4c8c8bd81befc6b2a0086fc6948138a9bfe14b789d74cec33642cd9b4fa6b7c98f823f9ec66e4bf215501cc7878410d3e26893cc7a3c57c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0ec6a7b0a874bea885d3266435fb0c63

SHA1
ae5b88d98e3f09d75a42a928e2c0f48bcffc956f

SHA256
a2876ca7c33f0c1b47c1451cf3a551b05367840fac3129d077d213a3c1d5a32e

SHA512
106fe706a0d611100c26a8b966dfb966427dcb291090f1caaa323c24845fa61ae30acbca2429741161ac3023d17ffbf76dbf14e4c3a36f628afcebfe693c4bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9ddc58cfcb815638b0f782d122c6c334

SHA1
f51df04c2248aff3baf546655764a42aa01205ee

SHA256
48fe2d02ec24b7ade57afb053bf2e789828959fbd2cc524fa0ceb5ad4c8c70ed

SHA512
041d4f19a7b08c2e48144d79ef412ada900907a8dfb4de1dbedcb793c6504bcdbdb312d3715229924a0ed7536dcb8c0de60c1b448496c6b8eb5e913b5bb959e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
23ed9369a9dbd9231c74eb5e9b8b7a29

SHA1
5cb77993d3bc1f4cd0d339bc390e277364e74aac

SHA256
099052abaa56767bf6a234356ca573d5e8952733cb128510e10c81ade22dcd17

SHA512
fda7d342bee85ab295c279ad3e4960cf3df9684b9353b7e5dba401a6b18ca6b3a8c758090e9f40e9dd140e9029edb6f8436b4a00695e3367ab40b69e46d06a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dbfa9be1854957c8adbbc021899bc074

SHA1
601c00b5f8d41ac97a7d54efc5819e758181421c

SHA256
d283dfd69e41de43c6885b30981bbf601e19e484032c3909b3d298c264d07cc2

SHA512
e602c920286b8077f80d2773ab71182a8976e98f639371d3a7e4578942398423e739a90a603e66fd7215345897704df7bc7c05e3ef402d927f18aecd26b152b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
35fa29f9a57cfed48ac5b354e95be35b

SHA1
bb16ef581a1128a4a5700c1737a57d7bb564d1a4

SHA256
0a6c3c68f667e2753ad7a17e127c35349d17ef6cf5ebd6e9fce4f4af3af6a59a

SHA512
c631486f0bea17a3a649833063c8cd1a379a6e5bd05dbb489910624ad77930844b07db54978ca2f779bcdca9cd2c60b85648809560ba0472242d4268983ef0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
17bc3e79314cc2127dbaaae463287ecb

SHA1
5da236aa11d76a6907a4737527e9d09bef6e9e5a

SHA256
64233a6c4d8f8fd4af7e7130216f5e60fab948d35976b2fb8c56ea9788ebc9b9

SHA512
7db6b86bdb921ed23da158fcfbef7e916bf3a95c0900aa45a195f5922d6825a32bb52322104f0fb3c6afee76bc4b696c01b22825c09b7449e0f55ad2591b41f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b7a9db92dfacda1b2558d32f0c89150

SHA1
a4bbdc8f27805b63515b5a754732321995dbb4a7

SHA256
a97ab4a06e9ea1b0063160bc87f67e7dfd833d5f4e513df67f5d7db73b743ffe

SHA512
f4c9791a61a7a60ba635b0de1c89a078822c9d178e31367edecbc2782308b7544a3d96ca726bf089e8a77111e0d7dbef79ae2e906d1166fab0ec6f87d11c7071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
49a6103c9c2d540375f802271e8c4984

SHA1
05c033d79c75250f0b9eafc02a628c56b45257f3

SHA256
37cc939616b484fd1220df8654d09bb02f19236a57834c5bac8f8e5da04de90f

SHA512
0d5978bd600cb23f2f02e71dabbb4d31c72dca63dbfe04e33048803e95f54044d3dba102b203551f2f18355e203c4db6f1e495b492b894197b4e604d7c769907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d0efc26b-c42d-4636-9d68-0c5f82d2923e.tmp

Filesize
8KB

MD5
b5eb6490b80488df0ee3f851b4fbfe24

SHA1
74d81efe86eea23a583d0878b489e659483c8bae

SHA256
a832dd26345f15845e117ce9e06ff7cd9e39426a70b834255770ad6119ae8116

SHA512
da857bed4eb7ab262a2a400d1dc99d38f382a05d53f72039aa2caa4f6fb875447f9dd102b59b0cded0b079a57d335e3433201031209dcd2b724c5227d0a4b98c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
2b0f36a0cb31acacbdf9ba7b23aa5d54

SHA1
91d60655c257e2a1df8a01010f9af275929c44f9

SHA256
7692a429571715b1b9a0c89784bc063929d0ca5f0cb9c6ff4c55c3f29625dc40

SHA512
981d732260aff3efdaadf23c1b72991027ececdbc7056d1d8651e25071d4d4ff596fa7980fc4700cff6a0f24bb6af2a4986ae49e65df008f48a4da8c8ce3a141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4c0390c0af1aa5d7b4af5744c7fa0083

SHA1
1189b44023562f8c696b8732d5df8d39b0027f31

SHA256
dc2167b6cd7bb46235e46efe3dc50842ece2c52d6bf98cbd4adc2efe27fcb471

SHA512
1b836c1c4c3789884b90d61382bebf0006786730369a0a05095fb2af8b3ce9434800d9853e0d7e4797abfd695bcca6b661ae7952831adde7a1fb9999b45f7582

Download Submit
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

Filesize
2.9MB

MD5
507acc8f3249adef7468989fee931211

SHA1
4d66286973a21e76b0e2c746bac00fa28d446ca9

SHA256
6abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154

SHA512
2faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3

Download Submit
C:\Users\Admin\AppData\Roaming\gWsmPty.exe

Filesize
322KB

MD5
c57f035e099bfe7f8d56917a22266dc9

SHA1
88a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87

SHA256
d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3

SHA512
836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4

Download Submit
C:\Users\Admin\AppData\Roaming\r6_external.exe

Filesize
37KB

MD5
96276e48409016997548282874763107

SHA1
1abfb128b7d0801c7277755635eb5d533495836d

SHA256
9237707a4d9193738e78acb7ff264360fa46e54cfde6e383efb20fffc6488a5a

SHA512
fa5c857fdfb6cabdce2895d29400e0faff808efd51da4f6822d4c40fb3988fbcbb6803ee8ac47eb02d765ff92c2858d885c49e1c812d267d173697191d2da112

Download Submit
memory/740-31-0x0000000000400000-0x0000000000B78000-memory.dmp

Filesize
7.5MB

Download
memory/740-34-0x0000000000400000-0x0000000000B78000-memory.dmp

Filesize
7.5MB

Download
memory/740-129-0x0000000000400000-0x0000000000B78000-memory.dmp

Filesize
7.5MB

Download
memory/740-33-0x0000000077614000-0x0000000077616000-memory.dmp

Filesize
8KB

Download
memory/740-35-0x0000000000400000-0x0000000000B78000-memory.dmp

Filesize
7.5MB

Download
memory/1988-0-0x00007FF942E63000-0x00007FF942E65000-memory.dmp

Filesize
8KB

Download
memory/1988-5-0x00000000028D0000-0x00000000028D6000-memory.dmp

Filesize
24KB

Download
memory/1988-32-0x00007FF942E60000-0x00007FF943921000-memory.dmp

Filesize
10.8MB

Download
memory/1988-4-0x000000001B6D0000-0x000000001BA5E000-memory.dmp

Filesize
3.6MB

Download
memory/1988-3-0x00007FF942E60000-0x00007FF943921000-memory.dmp

Filesize
10.8MB

Download
memory/1988-2-0x00000000028C0000-0x00000000028C6000-memory.dmp

Filesize
24KB

Download
memory/1988-1-0x00000000004C0000-0x000000000086E000-memory.dmp

Filesize
3.7MB

Download
memory/2904-67-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2904-212-0x00000000006B0000-0x0000000000913000-memory.dmp

Filesize
2.4MB

Download
memory/2904-13-0x00000000006B0000-0x0000000000913000-memory.dmp

Filesize
2.4MB

Download