stealc | f8eb9b286a0d33e287568961f883aa9d1be6e9ec8cf5eee3a3a1a6b106d02f74

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b985e2e2a066a11c89dd5559cb9cdbef.exe
Size

1.2MB
MD5

b985e2e2a066a11c89dd5559cb9cdbef
SHA1

87af6a1a91f709b045b05e28fd3e8cb7e662e80b
SHA256

766ab23a314977156bd7b40904d72a755f2df9426144aa1d8ca54e941cd973ca
SHA512

e7d181ff075c8e296da373ff50089a8d4441b49ab6b7d5feca23c19bbbf52273b8e8be522fc56aef504ed73d56b2ab178f4f901c12bf5d21567d5d42c4bc2ee1
SSDEEP

24576:5yh5xU9XB5Q0w4h5eh3e3y/b9tqvrpTUomJxc:5yhXUdBS0noM3RvqoMK

Score

10^/10

stealc default credential_access discovery spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://176.65.142.161

Attributes

url_path
/f698bbaeef359c28.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2392 created 3416	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	55

Downloads MZ/PE file 6 IoCs

flow	pid	Process
169	1144	InstallUtil.exe
169	1144	InstallUtil.exe
169	1144	InstallUtil.exe
169	1144	InstallUtil.exe
169	1144	InstallUtil.exe
169	1144	InstallUtil.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2012	msedge.exe
5728	chrome.exe
4572	chrome.exe
1740	chrome.exe
1656	chrome.exe
3984	chrome.exe
4804	msedge.exe
3484	msedge.exe

Loads dropped DLL 2 IoCs

pid	Process
1144	InstallUtil.exe
1144	InstallUtil.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b985e2e2a066a11c89dd5559cb9cdbef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870980802026001"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2392	b985e2e2a066a11c89dd5559cb9cdbef.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
5728	chrome.exe
5728	chrome.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe
1144	InstallUtil.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe
Token: SeDebugPrivilege	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe
Token: SeShutdownPrivilege	5728	chrome.exe
Token: SeCreatePagefilePrivilege	5728	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
5728	chrome.exe
4804	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 2392 wrote to memory of 1144	2392	b985e2e2a066a11c89dd5559cb9cdbef.exe	88
PID 1144 wrote to memory of 5728	1144	InstallUtil.exe	93
PID 1144 wrote to memory of 5728	1144	InstallUtil.exe	93
PID 5728 wrote to memory of 2332	5728	chrome.exe	94
PID 5728 wrote to memory of 2332	5728	chrome.exe	94
PID 5728 wrote to memory of 756	5728	chrome.exe	95
PID 5728 wrote to memory of 756	5728	chrome.exe	95
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 1404	5728	chrome.exe	96
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97
PID 5728 wrote to memory of 5736	5728	chrome.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\b985e2e2a066a11c89dd5559cb9cdbef.exe
  "C:\Users\Admin\AppData\Local\Temp\b985e2e2a066a11c89dd5559cb9cdbef.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Downloads MZ/PE file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5728
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe52f2dcf8,0x7ffe52f2dd04,0x7ffe52f2dd10
      4⤵
      PID:2332
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1984,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2100,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:1404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2388,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2536 /prefetch:8
      4⤵
      PID:5736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4268,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4296 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4576,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4640 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4900,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5244 /prefetch:8
      4⤵
      PID:1008
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,8110229206564977507,9154670385099183433,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4836 /prefetch:8
      4⤵
      PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe536ef208,0x7ffe536ef214,0x7ffe536ef220
      4⤵
      PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,7973094066280312227,7987335613575991870,262144 --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:3
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,7973094066280312227,7987335613575991870,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,7973094066280312227,7987335613575991870,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:8
      4⤵
      PID:2852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3556,i,7973094066280312227,7987335613575991870,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,7973094066280312227,7987335613575991870,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3484

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4662f5ca56ca85682d9e257850d02d5f

SHA1
a64503de307cfa61121163a85e50ecfbe7ca41f2

SHA256
c0983a73a09ee45a6d6320eb99c95f3f9c301d346293ff03587098039e7d6f73

SHA512
6a2f873fd45219efa0ff5214573dfc71686b1aea282b51364e93a034ccab9a1e3eb4b822e135d8c9429b81d3bb57e1c00e71b1355a82afad5cea35b7ce64944e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
5d8cfa6c2ed1b9aa1e4cf628a9bb828e

SHA1
19a1bda7302b5456c3a9978d479d4215a47a4019

SHA256
5f87ccdf54a41920e0850ed4e4306fea02aaf550e40dc1be9e1c52705187c644

SHA512
9195b0b07141e3b82f75009aacc3b7e5fecc0611910adf63dcb145317d2dd1784cf4fecf4edfb5a30081e016a30d594a6c892e037fccae814953cfd0ff251438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8d4194d9c0dd3adfd11b629e1b49cd5a

SHA1
76ef7e34fee97ff47025c61e9e293d36a2b3b42e

SHA256
211006ccdc6dec8db6d98014c0ea6e9d7a1f2a713c7f1fff1248143887ea6f22

SHA512
162d398879560b3c6b8bf83e3dd041ad0f62a6196abc9f0b62c5ddda3a1a67dd55153a69183f14508502c834c9d4469c5f87a5c01936fc04858cff72c61764a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
18a30572cac329f782f5dc8019f54ff4

SHA1
d8e89eb60039b58e9e57ab5cc32ef962d43e974d

SHA256
70e3fdc82474349bb4995e53305265371f8c515f4cadb2fcc8ac85685fa5488f

SHA512
332d08f8c6a0ec5ec61c8bb8fd5481ff4e0f5d02540d86a7409726f330d8bda4e72c15066e674f030504d4951c9f105f01dfcfc26fed8b031dac6eb900ed5d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
1a58892950cc60df902fef701f8c3c46

SHA1
40113ea396a95f93de9fa8e4d2ce9bea343b1d30

SHA256
2a90acaf2057d019af08d93593cd620f739e7ccec7a42f84d6e2d34d32149217

SHA512
fad96523f25066484454d99ff3432f1f08be7d3c4100ee2d458017b0c294dda9cee96fee28c17389aa4081527f1b40c0494293d4e9f8060ea66a08e271c8d0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
747bc2fb9701ad4d0926dacf237b5f92

SHA1
71e6857d45fa9ab8d63ec1264c68103561293dfb

SHA256
114e0dffbc395f4313339f2a6682507c533fd74e8533cc8ce611a12f7105664d

SHA512
3275028da9745b6888708feceac60af457c851ff9fd5cc86afabd8e9b72277d579c698dd94b83aa8fe171016efa2841ac4d18cf2bda4f7ca358cf7372cd48d41

Download Submit
memory/1144-1356-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1144-1418-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/1144-1724-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2392-9-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-1341-0x0000000005240000-0x00000000052B2000-memory.dmp

Filesize
456KB

Download
memory/2392-43-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-41-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-35-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-33-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-29-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-21-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-19-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-17-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-37-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-31-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-11-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-27-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-25-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/2392-23-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-7-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-15-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-13-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-5-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-4-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-1340-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2392-65-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-1342-0x0000000005530000-0x00000000055A0000-memory.dmp

Filesize
448KB

Download
memory/2392-1343-0x00000000055F0000-0x000000000563C000-memory.dmp

Filesize
304KB

Download
memory/2392-1344-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/2392-1345-0x00000000056D0000-0x0000000005724000-memory.dmp

Filesize
336KB

Download
memory/2392-1350-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2392-1354-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2392-45-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-1355-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2392-47-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-51-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-53-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-55-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-58-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-59-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-61-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-63-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-67-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-49-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-39-0x00000000052C0000-0x00000000053D4000-memory.dmp

Filesize
1.1MB

Download
memory/2392-2-0x00000000052C0000-0x00000000053DA000-memory.dmp

Filesize
1.1MB

Download
memory/2392-3-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2392-1-0x0000000000700000-0x0000000000832000-memory.dmp

Filesize
1.2MB

Download