sectoprat | 115ce6446eddf3422212760d714babecf2bedbc1178c2d0990be1407fedf380f

Resubmissions

28-01-2025 18:23

250128-w1k1csxlfz 10

Analysis

max time kernel
288s
max time network
590s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Package/Compil32.exe
Size

4.0MB
MD5

20d23b37c54fc1434ff3105a165cdac7
SHA1

9cb3811fb5f2ecacadc831d82e7e850abedc19ae
SHA256

8fa9074cd74cbcedc44b12999dbc5f4e51ea82caa24be18b073686229f1f9db8
SHA512

40eb9cc31a97996237e69d975efc1a3c22297403bef211427752926a331e9913801bacc7236e4a67ce988c110ccbda3dbd3e65bcc185d512cfc951b0e05fb409
SSDEEP

98304:ByzK9w6TfpPaVG5I+Juv5380exR4KuNFL3N:QWViB3Mwx

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2424-81-0x0000000000400000-0x00000000004C4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 2392	2188	Compil32.exe	29
PID 2392 set thread context of 2424	2392	cmd.exe	35

Executes dropped EXE 1 IoCs

pid	Process
2188	Compil32.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	Compil32.exe
2188	Compil32.exe
2392	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Compil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Compil32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1860	Compil32.exe
2188	Compil32.exe
2188	Compil32.exe
2392	cmd.exe
2392	cmd.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2088	powershell.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
1668	chrome.exe
1668	chrome.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
2424	MSBuild.exe
1668	chrome.exe
1668	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2424	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2188	Compil32.exe
2392	cmd.exe
2392	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	MSBuild.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe
Token: SeShutdownPrivilege	1668	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 1860 wrote to memory of 2188	1860	Compil32.exe	28
PID 2188 wrote to memory of 2392	2188	Compil32.exe	29
PID 2188 wrote to memory of 2392	2188	Compil32.exe	29
PID 2188 wrote to memory of 2392	2188	Compil32.exe	29
PID 2188 wrote to memory of 2392	2188	Compil32.exe	29
PID 2188 wrote to memory of 2392	2188	Compil32.exe	29
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 2392 wrote to memory of 2424	2392	cmd.exe	35
PID 1668 wrote to memory of 2060	1668	chrome.exe	40
PID 1668 wrote to memory of 2060	1668	chrome.exe	40
PID 1668 wrote to memory of 2060	1668	chrome.exe	40
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 560	1668	chrome.exe	41
PID 1668 wrote to memory of 2848	1668	chrome.exe	42
PID 1668 wrote to memory of 2848	1668	chrome.exe	42
PID 1668 wrote to memory of 2848	1668	chrome.exe	42
PID 1668 wrote to memory of 708	1668	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\Package\Compil32.exe
"C:\Users\Admin\AppData\Local\Temp\Package\Compil32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Roaming\systempatch_beta_v5\Compil32.exe
  C:\Users\Admin\AppData\Roaming\systempatch_beta_v5\Compil32.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2424

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2652

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee849758,0x7feee849768,0x7feee849778
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:2
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:8
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1164 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:2
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3200 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2456
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13ff57688,0x13ff57698,0x13ff576a8
    3⤵
    PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3812 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3436 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3416 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3796 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3660 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4016 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1288 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3848 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1148 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2080 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=1392,i,11500414806769925271,2648381320672426791,131072 /prefetch:8
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_chitchatter.im_0.indexeddb.leveldb\CURRENT~RFf7a3f13.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2a0f6deb37e5f753836c85e0eda8a455

SHA1
0d1296fe7b78419dbb1b781cd1b1e1781dd07b91

SHA256
bacdd063ca595d8cf6b5336f8916cdf1414d61bf83270f6fc7f17f36d9d083ae

SHA512
2d7599f3f90a3f191ee839dab9f400e5ac5f207063ab3ece7193b2833f6fe063068bc3a79c30eae946be801c85754f19f00de6f8edda7fb939af0bde646168e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cc3a736155681abe72053cf785396245

SHA1
ef6cf23f9e1e9a9c7ccb8c9c4e4faf0e50fcfde1

SHA256
c8a0f29058c5a860be97a10d51600879782e5f4b11d176dcdd70a7637570b54e

SHA512
e88f6e78204646326d546b2a01871dd5d4293487345381655e8c3848ee6a214957339a82a64649cca965fb709bc16843b3d15a06307cd74313bf946f37b9d5e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
7500b32fa3f6fb7059f479a1f53c0bc8

SHA1
64c84062bb2f6d9bdddf9bff4bf950ed6f1eec7e

SHA256
8e80b159637f413c71ed96598ceaa5a533a8cb0c49a16c4da10380db8215bdd0

SHA512
e7b012f17dce44d21a30226b1d4617db5a91f2997c202666585405a3cc7c0257ac08f7fc7e30a5dd13490ed656d291e1318963f5c843cdd2c3ff70e27ca632dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3901eb1fa90af6b09d8b29c224f3b6e0

SHA1
0f5541313b9a9e7d1fd076499155d1a2adc9cbbb

SHA256
1b9a5fd91217dcfb949f264ddc046bf700bb754860c8f633de1d53fed3afda4e

SHA512
01390b8bb98aa4b4fe9bf555cd2296cbfcfb0d6479c3275837a28f50000a8d5a03bdf691d16bfb3ecad6f0e7462919a68d08702bd4d7a506319f5280f6f784d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c63e00527c9b16fd91d4fb222b9a68de

SHA1
e8d8ae6f66d021d704787dc1eabdbcbb927a1daf

SHA256
072cb5ad3ed9ebb97f514ab12e8fbc94791a9ef08b6a97976d4e2b1ba6663dbf

SHA512
00023888b80ff986cc3358f64ce07432957ba539f2a367c5ecaddb3e5e6cdce93f82c8d84b452cf4f59ae9b90cd00499f893255b871803da09384188d70ec8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3a6d5d564fe7a5fae189c601efd2dc10

SHA1
26c06d070360ec6981993c351ae8f741284044c6

SHA256
dfd15cd2736c30b1e6f5417e2a92412747b61b397e848c3335991f9f1950bd3b

SHA512
d7e7f8fd698ba474e30dffa38491e29182ac46f4b552cbefcb2ba2b3883a9859616f3bee5ce01626125c947fa5fc23d3c4bd19908dbe60b3a650a9726d53db69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1b780cad36737fed9065f9634fd33b68

SHA1
a82d4a869c7625988891350dfad2d74bd19939af

SHA256
d9edcc05a215c6cc189bb7dfe0d121bad2a16c91eb76a9829a2d6ea73f6531df

SHA512
fa788b22ff57b2f7f40765cab3088c4c9bd1b7a52f2852570f0d8b4870a5238d1efb72e033606f17ff8f84cd0c4b61e15a41866b61def0556732ca964104b18b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f68bb31d310aa3b6c75399e0055f72c2

SHA1
7000f28ff5a14251c126b8a6cbb77e8298740840

SHA256
7e626ac6e72bd4efe9c7792a14f34f89da19cc97ab26e6311702359253b4c237

SHA512
29f03033b8d452dc02b2837cd89039dedab42e1ba7c6b550fcc69c84187256db68317061af5cabf5d14f87384eb4f63957fb951e953b15bd3a3f1b6b84dc68de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
beef0aa3d5c3e466be04837eb33787ae

SHA1
0a12b7e7390790c134b38669cce7ba63fe3394a5

SHA256
eda31832792ab38ef3dafbed4a2e3731d5f76ef84898dc82c1143e4b121fedd5

SHA512
1e9b2902f52689d39e3e6e57effb5c97c4a50d1d183d734cb465bdf53df739b96ff22d59ff684e010a4302688b4ed1f682141a15226cb4a22837467abe6a08bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
55e81e86632a5a363a135e4bcebffacd

SHA1
7fd1c4e1d5692cd3f885868e644cad3ec159ec58

SHA256
700b375fd6210be7ee6af7516988391ae430ec56fbf518fd4dd914ca77c6a7cd

SHA512
a8f37836572e83361a06080a167d4f43da54ed6c4db392ae456820380281a0b71067119ee855d62ba706445ef1eb08a069ba110a4bf3083c40e1253d3ea417cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fd11709

Filesize
1.4MB

MD5
7fd99d562a2cfae0fb8bbc1ba7d00365

SHA1
881b0380ac81ae7a5652160f83fa18161092120e

SHA256
443e79d4d789077f9bf5c46bf2a67dabb709e1bffe1263820b014bfae99538a9

SHA512
842ca650dcfa9fed0a176d79da3bb5a3b993154c27411fe9d4a8d8b63ec23bd764a8c3309ce7ef27ef9fbc45926fbf2ad0b89a8dd2ce25b4b00c4d57c33e26dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC110.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC171.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E9A.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\systempatch_beta_v5\ISCmplr.dll

Filesize
1.4MB

MD5
c60b1956a21b2b79c3a0ddc10ddd01c0

SHA1
d4362e652e06dcb0b6ac26e69ecc38b129c9b6f2

SHA256
18dd5c992a02f29dca485fce30284e975d8e8c242f577e7e7a3a2fe109489898

SHA512
94e2612ec6de026e143fd11c9fb1a1831bb421f279ec3677600d20b2974580da4301da941c50f252176a1e04fcdc4438aa175d5efe462a817eedcdeebe6c37a5

Download Submit
C:\Users\Admin\AppData\Roaming\systempatch_beta_v5\lah.eps

Filesize
48KB

MD5
6a06ae63ae3e122e5384b23764adcd2d

SHA1
48791f6bfaf10d084f98fa3842dda015a7156d6a

SHA256
4d70e937893310e8cf24ba2f3c3b6188d110cc9e4a431569cd0152d9848820e1

SHA512
e3c0522a56dd8f2cd5ae1139c538b70106a4f57aada821a89346473637289255f52f2e84657cf1cf0358e3d3641e65f8632e891597398ecfbd23f236cdee5823

Download Submit
C:\Users\Admin\AppData\Roaming\systempatch_beta_v5\premise.ai

Filesize
1.2MB

MD5
1c5d268ac129f4135290c98b9939eb4e

SHA1
83f9b543f0f8c541dd21cf4f65789c5c19223905

SHA256
9ce616f79b130941b358abbf349638a348185ecbcbfadc0273e59854c2b3e55c

SHA512
b8fafccc6977626bcfaf36b70ed8b428d1fbc5bdcb2e6583b167307084ba080387b708ecb20ee143de083cb35032fdd1f497d32354813c8bfb2ddd7dc686e34a

Download Submit
\Users\Admin\AppData\Roaming\systempatch_beta_v5\Compil32.exe

Filesize
4.0MB

MD5
20d23b37c54fc1434ff3105a165cdac7

SHA1
9cb3811fb5f2ecacadc831d82e7e850abedc19ae

SHA256
8fa9074cd74cbcedc44b12999dbc5f4e51ea82caa24be18b073686229f1f9db8

SHA512
40eb9cc31a97996237e69d975efc1a3c22297403bef211427752926a331e9913801bacc7236e4a67ce988c110ccbda3dbd3e65bcc185d512cfc951b0e05fb409

Download Submit
memory/1860-16-0x0000000000810000-0x000000000098C000-memory.dmp

Filesize
1.5MB

Download
memory/1860-12-0x0000000000230000-0x0000000000634000-memory.dmp

Filesize
4.0MB

Download
memory/1860-0-0x0000000000810000-0x000000000098C000-memory.dmp

Filesize
1.5MB

Download
memory/1860-3-0x0000000077820000-0x00000000779C9000-memory.dmp

Filesize
1.7MB

Download
memory/1860-2-0x0000000074D70000-0x0000000074EE4000-memory.dmp

Filesize
1.5MB

Download
memory/2088-104-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2088-105-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2188-20-0x0000000074C03000-0x0000000074C05000-memory.dmp

Filesize
8KB

Download
memory/2188-25-0x0000000000800000-0x000000000097C000-memory.dmp

Filesize
1.5MB

Download
memory/2188-18-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2188-19-0x0000000077820000-0x00000000779C9000-memory.dmp

Filesize
1.7MB

Download
memory/2188-21-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2188-22-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2188-24-0x0000000000CB0000-0x00000000010B4000-memory.dmp

Filesize
4.0MB

Download
memory/2392-28-0x0000000077820000-0x00000000779C9000-memory.dmp

Filesize
1.7MB

Download
memory/2392-26-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2392-75-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2392-80-0x0000000074BF0000-0x0000000074D64000-memory.dmp

Filesize
1.5MB

Download
memory/2424-81-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2424-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-77-0x0000000072DA0000-0x0000000073E02000-memory.dmp

Filesize
16.4MB

Download