azorult | d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec

Resubmissions

23/01/2025, 23:57

250123-3zw5kazjgx 10

11/01/2025, 00:21

250111-angxaaxlcr 10

10/01/2025, 17:30

250110-v3d46a1jew 10

10/01/2025, 10:15

250110-l97kls1paz 10

Analysis

max time kernel
66s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
Size

1.1MB
MD5

e1acbd5a6f99723b593c01d66db26b8d
SHA1

b3101df9e1c686d2c92814106c414eef586e7589
SHA256

d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec
SHA512

14b2000de6f0956a0f8e34c3de97e67725805fb6b64347f3a118a6709854636bc4e3c4ecb91238971b4b6ea556ca0969daf9c7b9b62bda559462277cb11889e6
SSDEEP

24576:w06qmrWqPh8mEa3H1WG+34OJ0CFpD0Yn+511xRZ8q2XoHWwb:8rWI8jYH1m4OJ0gpD0Y+rY

Score

10^/10

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes

url4cnc
http://telegka.top/brikitiki

http://telegin.top/brikitiki

https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

scarsa.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 6 IoCs

resource	yara_rule
behavioral1/memory/2844-24-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2844-22-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2844-18-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2844-16-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2844-26-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2844-31-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Executes dropped EXE 4 IoCs

pid	Process
2828	Gpbwrbwuaconsoleapp17.exe
684	Gpbwrbwuaconsoleapp17.exe
1488	Wrygpxuoiconsoleapp4.exe
1500	Wrygpxuoiconsoleapp4.exe

Loads dropped DLL 9 IoCs

pid	Process
2516	WScript.exe
2828	Gpbwrbwuaconsoleapp17.exe
2412	WScript.exe
1488	Wrygpxuoiconsoleapp4.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 2828 set thread context of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 1488 set thread context of 1500	1488	Wrygpxuoiconsoleapp4.exe	38

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	1500	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpbwrbwuaconsoleapp17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wrygpxuoiconsoleapp4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpbwrbwuaconsoleapp17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wrygpxuoiconsoleapp4.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
2828	Gpbwrbwuaconsoleapp17.exe
2828	Gpbwrbwuaconsoleapp17.exe
1488	Wrygpxuoiconsoleapp4.exe
1488	Wrygpxuoiconsoleapp4.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
Token: SeDebugPrivilege	2828	Gpbwrbwuaconsoleapp17.exe
Token: SeDebugPrivilege	1488	Wrygpxuoiconsoleapp4.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2516	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	30
PID 1704 wrote to memory of 2516	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	30
PID 1704 wrote to memory of 2516	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	30
PID 1704 wrote to memory of 2516	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	30
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 1704 wrote to memory of 2844	1704	JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe	31
PID 2516 wrote to memory of 2828	2516	WScript.exe	32
PID 2516 wrote to memory of 2828	2516	WScript.exe	32
PID 2516 wrote to memory of 2828	2516	WScript.exe	32
PID 2516 wrote to memory of 2828	2516	WScript.exe	32
PID 2828 wrote to memory of 2412	2828	Gpbwrbwuaconsoleapp17.exe	34
PID 2828 wrote to memory of 2412	2828	Gpbwrbwuaconsoleapp17.exe	34
PID 2828 wrote to memory of 2412	2828	Gpbwrbwuaconsoleapp17.exe	34
PID 2828 wrote to memory of 2412	2828	Gpbwrbwuaconsoleapp17.exe	34
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 2412 wrote to memory of 1488	2412	WScript.exe	36
PID 2412 wrote to memory of 1488	2412	WScript.exe	36
PID 2412 wrote to memory of 1488	2412	WScript.exe	36
PID 2412 wrote to memory of 1488	2412	WScript.exe	36
PID 2828 wrote to memory of 684	2828	Gpbwrbwuaconsoleapp17.exe	35
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 1488 wrote to memory of 1500	1488	Wrygpxuoiconsoleapp4.exe	38
PID 2100 wrote to memory of 2388	2100	chrome.exe	41
PID 2100 wrote to memory of 2388	2100	chrome.exe	41
PID 2100 wrote to memory of 2388	2100	chrome.exe	41
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43
PID 2100 wrote to memory of 2576	2100	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
    "C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
        
        C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 732
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
      C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1acbd5a6f99723b593c01d66db26b8d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7119758,0x7fef7119768,0x7fef7119778
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:2
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2124 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3780 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3792 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1256,i,14589185879230679245,9866721376567124564,131072 /prefetch:8
  2⤵
  PID:1068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
cf4ca7ad2cd6d07bff3eae8cdbbd11cb

SHA1
0c725f07df91d613782f5743bea80e1dbbe5ea12

SHA256
0bc5e58b01672597f10e9f920476b71d037e111cbf2ec9a91e6128310373e050

SHA512
3881773954426e69da2f9d40f93764b60ece3a0759f544ff31eff54c8d46500d338c0b509da72956b8d02fcca491266949ded17767da84c34a9195923a2dae46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8379759fcd52ba8ffbf5073713b12238

SHA1
be6b3358ed65f955f8a9cee3685fda59767682a5

SHA256
d5b405200f381a79f29f5ae9be06bc8cdef1e40988ca12f9d0ae5dd31b7e5adb

SHA512
c92543331bb9893232bcd5c15b5ce4b558c425fc82553a8ae051be3761d30c6b912698068931efabaae482af53f285768584bd4279785a45ed061745b09031a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9a8ccb51fd775b0ae4b0b05bdc53c8e8

SHA1
19fc4f76e08d053dc323918a01ea338104c35dcb

SHA256
6a8e831ebacacbd392c38b9caa0c3958cda8bb3ea08e0a993f4b6c7f74266886

SHA512
bd7187f3136ca71ba32f9a6ece7496c8777d10d69082cc3fc8b2a9868e9f6a1498a8d5f0aa352394360e9c73c76c30bea5c27565fc4374736db668d35eb780c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed155a9a4962b7bdcb5657194aba5268

SHA1
9b1f7888841ed03f579ad4d7f005ea887f1e3460

SHA256
acd475f6d41b306dd94ceab6e96b0d276456ade6f581d69bb3ac211f27689665

SHA512
ae1eea000d4dee948b6e48b4a26ce1b19cf022f84d90bd779619cd5ce1e92ae6d1ff8c23f11e80040d12db58692bbf1e5c96776c926bb73956d03ec99572bfc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
1e5be18259ea01898123ffcb8de516ef

SHA1
496751aa5c18e89c3b70b85f614746f3d5bf1951

SHA256
00e776550cff0e8a59290ff41db5b9fbeb47a917856190b4f5171ed33c42d640

SHA512
2c5932168dd8c3a49db661daf0aeddcaeff9102db263f4a5ac84a025fa5f1f4ec226553c294b47a801a57435112a19594a6364a5ef5a4cb3818624cc4968a6bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
372KB

MD5
5deb4a61296db74952ba8aa553ec5069

SHA1
0ac7be9d0f226c9919aeb8fe9dcbbb4c80d7caee

SHA256
9d6f1cbe51d97743bd43cbd66a09d2919f2cbf6aba436b7cf343812d6a0523e7

SHA512
9ec84bedf6020b613096e923f51e12be4925ceb6e54745edbbb1c360673faa8797ab917baba2adcca4a70457c72713591f002f923ddc51110441fc1273bb8059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a487f2a3-1141-431b-bf19-0dfb0331aca2.tmp

Filesize
355KB

MD5
5db8653935b1594bd5232d5ffbcca9db

SHA1
75bac821092252dc54ed179aa877e7f49fe4fd92

SHA256
a8e9b0521e618f7dbf7b180a27cc4da0c2a587d39266f8688c56cf29d5093040

SHA512
220fafbe19410f7fa22e9b368f3b2609324f6ae250ff1da7fc063e7d63dede00169faa80536ff7046fe9cc039d1e884a8649ad6bfeccb786f9ee7acf6261e1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cluexwrmdbpntfny.vbs

Filesize
108B

MD5
6b0154ea182640615f31706030f68c68

SHA1
9ffdfde77609c938a2d34483a9d6066f22bc791b

SHA256
78c821ffafd8ccb109314e16cee0e1e4d69d76aaa87aed8e750d15e7816b1043

SHA512
a815ae4b298510b91a9a06cab1068f85326394b9b250484376058ae127b2d5e97d31f31a0d85a6848200f71f4565c7a5f2934427abec52bc245198e171634e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gpbwrbwuaconsoleapp17.exe

Filesize
598KB

MD5
1597ffd4b1262d1d25f34f0de7aed129

SHA1
936fcc97ca39f39aaa05635b95da5a7698785546

SHA256
f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b

SHA512
29b611766ee35dbf286a71462d845f54897b21c583e24eeb4cbcf5bc387f2468d0ebdb1712f6fc54b3a122d2a1fec122f7c9af7faeda31e6e0625cdff77d9dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Njoarrjqwtkcyedoiyokf.vbs

Filesize
109B

MD5
affb5ef06d9491a7792bb095d79c76de

SHA1
fa1f67d95cd8c6e92175a013dd85e249e07f58cd

SHA256
ba957adcb69f054612b662976cd85a723a281bac10d7d0df0675386916373900

SHA512
75c2b707e7a0afb90a7714516eaba3694b21fe6d036fefcb46c89463e83ee3d8f93769ccefb9498cad5a4911147d91e0d506c2c152dc646a3dcab515bcca7a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrygpxuoiconsoleapp4.exe

Filesize
311KB

MD5
960586bdf44ca1fcb8e80cd5846a77b6

SHA1
50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb

SHA256
92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305

SHA512
1e2676c0357d3d1c1177d36816c84c5157956afc2d0ef30aa4fd0ea3aef3150cec31e3a9cdcd31a6d71b8cd2429973e27584e7a9b8003be475c935e31e1a283b

Download Submit
memory/684-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/684-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/684-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1488-58-0x0000000000970000-0x00000000009B8000-memory.dmp

Filesize
288KB

Download
memory/1488-59-0x0000000000490000-0x00000000004B8000-memory.dmp

Filesize
160KB

Download
memory/1488-57-0x0000000001060000-0x00000000010B4000-memory.dmp

Filesize
336KB

Download
memory/1500-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-8-0x00000000047F0000-0x000000000484A000-memory.dmp

Filesize
360KB

Download
memory/1704-5-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-2-0x0000000004B80000-0x0000000004C8A000-memory.dmp

Filesize
1.0MB

Download
memory/1704-29-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000000A00000-0x0000000000B18000-memory.dmp

Filesize
1.1MB

Download
memory/2828-38-0x0000000000BF0000-0x0000000000C10000-memory.dmp

Filesize
128KB

Download
memory/2828-30-0x0000000000CC0000-0x0000000000D5C000-memory.dmp

Filesize
624KB

Download
memory/2828-32-0x0000000000690000-0x0000000000720000-memory.dmp

Filesize
576KB

Download
memory/2844-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-22-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-24-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-26-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-31-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download