sectoprat | 8afa3ec25a09a7b41f78fd1cd3d69de3c55c158b9c99f58c59db15220d520636

Analysis

max time kernel
102s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe
Size

1.3MB
MD5

9dbe5cb9c6e6dcc6bbda409b0e2f60ab
SHA1

cafa259bf42b79ebc467ce248cab97b55876e51f
SHA256

8afa3ec25a09a7b41f78fd1cd3d69de3c55c158b9c99f58c59db15220d520636
SHA512

d89a36bb13e5da61a16b8e8a174d30e916d5d2f5012b490d5355d1817cc060a9c7b33954a59f185dc61784317734071bc49dfcbeddd073aa978023f9a52cde9f
SSDEEP

24576:2w4GBpehMjcuP5b4FtyA1r6LgE0WpY4yObTpRrJ/vzl9Z3ERw/KB7cot:2w4GBcz05styAYL30IyObNRrJ/7ZERQ0

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5432-0-0x0000000000400000-0x00000000004CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3916	chrome.exe
3988	chrome.exe
1520	chrome.exe
2092	chrome.exe
5796	msedge.exe
5728	msedge.exe
3364	msedge.exe
2548	chrome.exe
1016	chrome.exe
3020	msedge.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 232 set thread context of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
3916	chrome.exe
3916	chrome.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe
5432	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5432	MSBuild.exe
Token: SeShutdownPrivilege	3916	chrome.exe
Token: SeCreatePagefilePrivilege	3916	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
5796	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5432	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 232 wrote to memory of 5432	232	2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5432 wrote to memory of 3916	5432	MSBuild.exe	98
PID 5432 wrote to memory of 3916	5432	MSBuild.exe	98
PID 3916 wrote to memory of 732	3916	chrome.exe	99
PID 3916 wrote to memory of 732	3916	chrome.exe	99
PID 3916 wrote to memory of 5228	3916	chrome.exe	100
PID 3916 wrote to memory of 5228	3916	chrome.exe	100
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 368	3916	chrome.exe	101
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102
PID 3916 wrote to memory of 5628	3916	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_9dbe5cb9c6e6dcc6bbda409b0e2f60ab_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8805 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdd814dcf8,0x7ffdd814dd04,0x7ffdd814dd10
      4⤵
      PID:732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:5228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2164,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2552 /prefetch:8
      4⤵
      PID:5628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8805 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8805 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3988
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8805 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3264,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4464 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8805 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4232,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4480 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1520
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8805 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4740,i,3288500050125006908,2349526697642986534,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4772 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8220 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f8,0x7ffdc73bf208,0x7ffdc73bf214,0x7ffdc73bf220
      4⤵
      PID:1692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1964,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2152,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2024,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:8
      4⤵
      PID:2524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=8220 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3516,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=8220 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=8220 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4700,i,16659121579202830969,16647134027971832034,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:3020

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
6a95acbc0723234ece21850a18b7473c

SHA1
217a61385d4fbecf11f95a4a9a2231b7cd3e330e

SHA256
48db1d1eec2d86468ad040cd45632a37152e0ca41cd1c52c05c691a002d30ee7

SHA512
077def11a1f2cab652fcbdc682defdcd45a72114db432ee3e2643cb345741cec803b5107928a9b9b29dae75ddff4fc583b8df075bbe61495942c0877a761b855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b53bcb70d8bc05bc4560eb9fbe96ed3f

SHA1
676d405df6c155ff582c0f0408b71e4493fbd592

SHA256
4c390e17efaf8a4094622f08c01e68bf008a2ea84f06e79c1c0f2d067dacb04c

SHA512
a3074e7ae0d7c890374044fe42da70877fbbe892c5704c3f65be37b079a71d0d72e6541b8d18d3d13db57d48ef34c4e2e176e490f189594a6216b54767060b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
33KB

MD5
ed78baa0ead11c948e452311fc43ee70

SHA1
35eadd19a1f0ee9eee1a7a38c00d93bf488d3ac5

SHA256
abb387925d5edc118f0052c66c95eb67c08c57f627f7b3b1e7ccca4d48606be0

SHA512
569dcd0d1d365ba8c184f861dc49a21b4c71c84e4ca0b206f53a0e171f63bf29f9674b5ccd5482538c83fea556dfc7c0e8fd43210677e10783034e5d702377e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2a1bd343ddb6d0a47b43ddd1387d9d46

SHA1
955160e16ef33d7c7d676a5e82d0fd0530025a07

SHA256
2722e612bc205a0f8d2ddf385ea1b4c99853cdf647e8312b567a351722fe12c4

SHA512
a2140a9793ae69c0ce15466b72ecb63223376cfe81e57e0ab0679a6d3bfe6ed066f0857d13355defd3e1b5391f1926606d7164166651f449919c3d4d463e5dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
f0b2e8e1b8439dfa0256808ff748add7

SHA1
71482ccfc9ae249a063c3ce7357ded5e6f6365d2

SHA256
4da81baa53be5170ad80edd6ee6ddd13d7377509db41b57c7988f0bd561cd1a2

SHA512
a9978accdd2856a218b2fe7cff1d9cdd665c3979f34a9c294bb54013d6820999b88c91268854e4f9ea55560156294e7cd1a5ab323586a51fc1b51fbe852b19f6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
582444cc6c8784714a6436e8dfa174de

SHA1
d3528fe780214d64f308973a8424ed645a7b68fd

SHA256
9502c3b9192ed63017fedb0901b195f05ad7ec83e9afdc733d54b419840c6786

SHA512
c3743c6f227dedeba4d1f1ceeb7c9f54d772c439cc94823d60bdffb4d9232286a8ecfefb67783031026e39354fe986efb3a64ebd7f92df5fe4ad20f15a84ca55

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/5432-7-0x0000000005910000-0x0000000005AD2000-memory.dmp

Filesize
1.8MB

Download
memory/5432-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5432-22-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/5432-20-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5432-19-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/5432-16-0x0000000008060000-0x000000000806A000-memory.dmp

Filesize
40KB

Download
memory/5432-10-0x0000000006370000-0x00000000063D6000-memory.dmp

Filesize
408KB

Download
memory/5432-9-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/5432-8-0x00000000067B0000-0x0000000006CDC000-memory.dmp

Filesize
5.2MB

Download
memory/5432-21-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/5432-6-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5432-5-0x00000000056F0000-0x0000000005740000-memory.dmp

Filesize
320KB

Download
memory/5432-4-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/5432-3-0x00000000054E0000-0x0000000005556000-memory.dmp

Filesize
472KB

Download
memory/5432-2-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/5432-125-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5432-126-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5432-1-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download