sectoprat | 13043c23e4ab0578409c324821d4fa8996575d25fbab0df7563e4f651377e679

Analysis

max time kernel
124s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe
Size

2.4MB
MD5

392302dfe37da0cccf1fb697acedff42
SHA1

19772d3d90212fe5d92f3b30ff7eda7af8131435
SHA256

13043c23e4ab0578409c324821d4fa8996575d25fbab0df7563e4f651377e679
SHA512

5469c8df55ad7eb2e693965fc54fb2fac1b95492f452855d23fe73ac113d92abf6ed820fc01555ef87412b458b5e145f4b8c3e0a9c0fb243436f0eac9f0c7ba3
SSDEEP

24576:MiB4QbCAnGZPk/jhW2DQQ3iF2K8+2ntZ8oWy91r6LgE0WpY4yObTpRrJ/vzl9Z3J:MiB490ywYL30IyObNRrJ/7ZERQKgn

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000400000-0x00000000004CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1844	msedge.exe
3984	msedge.exe
4864	chrome.exe
3392	chrome.exe
4864	msedge.exe
1216	msedge.exe
2084	chrome.exe
2440	chrome.exe
4528	chrome.exe
3728	chrome.exe
2180	msedge.exe
5064	msedge.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
2084	chrome.exe
2084	chrome.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	MSBuild.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeCreatePagefilePrivilege	2084	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3940	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 4412 wrote to memory of 3940	4412	2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 3940 wrote to memory of 2084	3940	MSBuild.exe	116
PID 3940 wrote to memory of 2084	3940	MSBuild.exe	116
PID 2084 wrote to memory of 4460	2084	chrome.exe	117
PID 2084 wrote to memory of 4460	2084	chrome.exe	117
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 1216	2084	chrome.exe	119
PID 2084 wrote to memory of 1216	2084	chrome.exe	119
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 3824	2084	chrome.exe	118
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120
PID 2084 wrote to memory of 376	2084	chrome.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_392302dfe37da0cccf1fb697acedff42_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=7990 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8455fdcf8,0x7ff8455fdd04,0x7ff8455fdd10
      4⤵
      PID:4460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:3824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2192,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1628 /prefetch:3
      4⤵
      PID:1216
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2584 /prefetch:8
      4⤵
      PID:376
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7990 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3280,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7990 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7990 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4476,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4524 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7990 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4504 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:3392
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=7990 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4964,i,17414262886257641223,1124457382288232780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9383 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ff84174f208,0x7ff84174f214,0x7ff84174f220
      4⤵
      PID:648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1964,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:3
      4⤵
      PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9383 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9383 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9383 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4228,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=1736 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9383 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9383 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5112,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,16052135554551866832,12754144534517122253,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
      4⤵
      PID:2368

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3460ae67841083a58564ea467981451e

SHA1
4533e2c096292a9779c9e416830a2d01ae1378b9

SHA256
1ee47adcaa5a7b84a59c907e5a32167a6ef0d53deb284c59d32ac729d35e3543

SHA512
8e24f8c257b4587d22ccd685e5c7ad5430ce8a5cc86109668c30ae4a46e0db7e5d98d12143f7e7512b3f2686cecbe3a2e4ba059a56be734f3346af64855f1392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
270ce00cd43cb98a58ce4ce1a41f6dd5

SHA1
e7ef12df495c72c660d70bdb4031c6b3dca9c60e

SHA256
e96e30f5dc650f0164acff4ab20685884d2087dcee1669e284cdbe9a6699e815

SHA512
868283f72534b7e2563009cd04f0024fbf13aa6a91fdb6add73f9d5499800e77b2c26b3dd89487f00b3e7a3c663cacff31df183de661c6d7dde68737b100acb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
cae08f4fda05958563e692b2800f4f97

SHA1
d925c605329c14fea110fcd18721d75102d3f4ec

SHA256
e6fbebdae9dddf3100e64b3bd333f454522686b4bfefbf94edf1fedbccdfa785

SHA512
4a7096ccfbfb30e0ee53dca7b7533071f0253b02408ce9b47122fa49840bb19112fa8bb27c4e7888b3957f5104b26ddc303b41017b28929611240a39b4fa6cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index

Filesize
432B

MD5
5ead6b002aece3a0822b419a6e7f70e4

SHA1
e49d4757e135304c9233979ac65f8848246a1cd5

SHA256
122319e72f69cb5a4103f7d62f97dfff6526fa691e6f75d181be7941262e9960

SHA512
eb34b8161b20415d7d5a894cfb126d08eda251baf7ce99499eedec8a2bf46b2a5db7ba7886b4463ea95404153bea77f87cc53efed0d62f428a46ff9a576025c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc742e8e-8d86-4c2c-a946-d520a388195f\index-dir\the-real-index~RFe5853a9.TMP

Filesize
432B

MD5
e0f71e3e829103b931decdb1f9499d2d

SHA1
ed5971b76ccdfbb670e8517b0743223b6201fdfb

SHA256
cea4e6cb68494b8b2f9467e61681c86eae154396fb159154efdfe2930fe76590

SHA512
aee20cc745592b884a55aa5919254fcc60ba8059f7927cdd448177e31e6bc08768a975d7f1978e5172c499bfb3de5492d8516698bebd61f6f6521b3e94995085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
43938bf60375d7ea59830b79d31168d2

SHA1
f8a02306c9c293bed87bfd210d807ea9946732c7

SHA256
f98faecc3e14acfe0181e643c74f41a3ed1f4c41ce963fecab326e8fd473efec

SHA512
20acb3675822ef903a6cc4e8aed43b9c5c818594dc27ac4106975bf5947a866d2e1bab5adc57a156c58c80d72bb59c6da8ca250fd51e48b5d2a07f5c6f941c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
bc6d378e2d2aa478ae86218519583d24

SHA1
d516f155b83ccb97405f43865cadba6ae19aa957

SHA256
e08fdccc0b63d0d9b1b32296b6e9719365d5873a9d11ff1b802f18e87e57b293

SHA512
63a1ec169010eeb8e5300f69ef116bfcc95ccca43b87c9049e872bbd3f7aad1a47fa874dd2e72c63140d1b7ca9a3b98603afe466cb7d57b59848e0df83c2b4a6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
ff3b385586c121ef4a7e54e290cc0e9b

SHA1
163d400270293be03fcb14d6ef0cfe641e843742

SHA256
74d4c61c38dbdc81559b051131625e6c117481ec22c28232c5f2bd9ce04e70a0

SHA512
17375b8d9661cf20d218dc248b00301a694e0ad445ffd0b1500f6d4e452f2e07ecc32884429818a134bbb23077934b69a81ae7e93e45690b4f9d4ce0aacd77d6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/3940-19-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/3940-10-0x0000000006820000-0x0000000006886000-memory.dmp

Filesize
408KB

Download
memory/3940-2-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/3940-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3940-22-0x0000000005CE0000-0x0000000005D1C000-memory.dmp

Filesize
240KB

Download
memory/3940-21-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/3940-20-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-1-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/3940-15-0x0000000008340000-0x000000000834A000-memory.dmp

Filesize
40KB

Download
memory/3940-3-0x0000000005AD0000-0x0000000005B46000-memory.dmp

Filesize
472KB

Download
memory/3940-9-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3940-8-0x0000000006C20000-0x000000000714C000-memory.dmp

Filesize
5.2MB

Download
memory/3940-6-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-7-0x0000000005E30000-0x0000000005FF2000-memory.dmp

Filesize
1.8MB

Download
memory/3940-5-0x00000000059D0000-0x0000000005A20000-memory.dmp

Filesize
320KB

Download
memory/3940-4-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/3940-187-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-188-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download