sectoprat | 0b0abe68f13000275c162908740469a9938a5463ee07404c4f43eec8fb9299f5

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe
Size

1.3MB
MD5

5c07a7a4e57ee404b231bd85bb2e8602
SHA1

76d64cdc6a5265407e1b4a75426599f29adc1b5a
SHA256

0b0abe68f13000275c162908740469a9938a5463ee07404c4f43eec8fb9299f5
SHA512

19a362b97c6d3ad2c6f7e7b9cdeb5f4abe8e2f38bba00a1805b14f48fbf0a3f8d2b408714dbcff69546728d3c06360db84c2ddb91aa2bbf3f1c9414713a2479f
SSDEEP

24576:sw4GBpehMjcuP5b4FtyA1r6LgE0WpY4yObTpRrJ/vzl9Z3ERw/KB7cn:sw4GBcz05styAYL30IyObNRrJ/7ZERQT

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/744-0-0x0000000000400000-0x00000000004CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1644	chrome.exe
1044	chrome.exe
1652	chrome.exe
4056	chrome.exe
3632	chrome.exe
6052	msedge.exe
5916	msedge.exe
1776	chrome.exe
5976	msedge.exe
2868	msedge.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5184 set thread context of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
1644	chrome.exe
1644	chrome.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe
744	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	MSBuild.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
5976	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
744	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5184 wrote to memory of 744	5184	2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 744 wrote to memory of 1644	744	MSBuild.exe	102
PID 744 wrote to memory of 1644	744	MSBuild.exe	102
PID 1644 wrote to memory of 2208	1644	chrome.exe	103
PID 1644 wrote to memory of 2208	1644	chrome.exe	103
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 5592	1644	chrome.exe	104
PID 1644 wrote to memory of 4292	1644	chrome.exe	105
PID 1644 wrote to memory of 4292	1644	chrome.exe	105
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106
PID 1644 wrote to memory of 5040	1644	chrome.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_5c07a7a4e57ee404b231bd85bb2e8602_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9174 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0x100,0x104,0xd4,0x108,0x7fff3857dcf8,0x7fff3857dd04,0x7fff3857dd10
      4⤵
      PID:2208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2040,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2036 /prefetch:2
      4⤵
      PID:5592
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:4292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2420,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:5040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9174 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1652
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9174 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9174 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4356,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4396 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4056
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9174 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4380 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9174 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4840,i,1319165233471899434,1833395377326976171,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4820 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9323 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x26c,0x7fff296df208,0x7fff296df214,0x7fff296df220
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1984,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2256,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2
      4⤵
      PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1800,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:8
      4⤵
      PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9323 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3588,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9323 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3604,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=9323 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4944,i,16029423477214902898,13482466283398604495,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5916

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
a32823b4c6b46986ac0d64dcf875dcac

SHA1
9ec461bf68555ab9b73ae4220f7f0cab88719888

SHA256
3976b631cf0f03ebbb3ab450b22a74c724e16bdccfaaa7edcefa8f3bc096aaf0

SHA512
0cdb1997011388684e49ba671546af2dc1bd6c891692f6932b102d8290df616494f8ea651d82fdbec5bb9733a2a09bb540cd27ee0283b0be1508b2985455cd01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
24a4f8fdef0e32b1ea2c74cf702fe12d

SHA1
d03f51a7a181e7e642f6568fdd86389cc4a20f15

SHA256
55d29212ab5273192838c4c1bc8e19c7eab9cb77bd6f28f43d2749507cbdf829

SHA512
5b5a0f1d558636e78644c87e71e88383f15caa5fbf663ab6ea56ab19bedf230c5ae1cff6762c1a637f2635aafa399282d782f7e36ee4e249cfb0394ab822a0f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
33KB

MD5
c1b8d0184b1ca3280c485146b17f7cdf

SHA1
60a5f3c6515f11308829fd4d2b1bbc121c7f8e74

SHA256
bf6294ba51036831910941ef71c0d8f21d19501377ed39aac79e066d73446350

SHA512
7a603f6efd5bd60150c147de7cd599d00d65e8bdc253a821776ae422f3da1247857c88ba66bf72108d44b4fc70763c1b447f46eafcfe3955f625c9cadf19a51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
c869f33c0a00eb61b2afee2bd490c21a

SHA1
8a14f6fc51459903f78aa8aa4504fc5a54557444

SHA256
5d4b674b8774c2462a13c1c66dc000dc2c5b1cde66603c3fc5930d2d5ed5a46b

SHA512
54c6d35b9e908596d622d0b64dbd32dd85d5efb0bbb94513df76013d523ecbd4e08a5ead507118592ca18fd38d0ab1c4c58ac7f1b61c8a74dc63b3b586e51f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b427abd751ec9586552ef1f91e20a29b

SHA1
01f72c929551d57aecb364c51bf1ccdfbf483e17

SHA256
8b5a725e5c27748359843d885c47b55e56f967960cb4a3ae0fcbc57c49368447

SHA512
b43d5cb60d5a7bde3a27f08b525e2446dcfccac60b984b738a33e779a817d5e3c385296d9ad84f5f66303a9249867da1fa1e0fc60921ffc0b82673ffcadece90

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
78ee346c07b744a5bc3826a83e11b6d3

SHA1
3ff09bace3300fb4a327804651488e907b9dddfb

SHA256
1b371a4f4397e7929eac48e488aabec0b8dffdfc934c04fb72194e1e6637cd55

SHA512
a893976350d427fd3b01935a882ceac75ea81cf391d214c2fbe912b8c8609f77608fdee22f2020695d9237d4add3e23d8208827675a58f9ea7038418859bdfb8

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/744-7-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/744-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/744-22-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/744-20-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/744-19-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download
memory/744-16-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/744-10-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/744-9-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/744-8-0x0000000006250000-0x000000000677C000-memory.dmp

Filesize
5.2MB

Download
memory/744-21-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/744-6-0x0000000005540000-0x0000000005702000-memory.dmp

Filesize
1.8MB

Download
memory/744-5-0x00000000051C0000-0x0000000005210000-memory.dmp

Filesize
320KB

Download
memory/744-4-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/744-3-0x0000000005080000-0x00000000050F6000-memory.dmp

Filesize
472KB

Download
memory/744-2-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/744-220-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/744-221-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/744-1-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download