Overview

overview

10

Static

static

10

Build.exe

windows10-2004-x64

10

Build.exe

windows10-ltsc_2021-x64

10

Build.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/03/2025, 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Build.exe

  • Size

    8.0MB

  • MD5

    5aeb840fa69ff4dcd8ba0816a2da1434

  • SHA1

    e710536efe591bb5cf24e3b4cd270775feffddb6

  • SHA256

    1f33f50f29b612c23fe2890fe9567c42e2512ae3c7818f3c60879665019bb4df

  • SHA512

    44c277c1fdd72b2e246bb511f4686df823636c41acaf8d2825c4399a216f48b6d037b9c197db6134464a5c54156648e8bf96dff72bda1426f58578de740a9f72

  • SSDEEP

    49152:zf+7HoOWA0PMlJmN8UkruiWIKYqAFs6eYfZVmBumJzMmbmMqoBLPg4NOW:zG7HlQ6Jg8RrucFs6e6ZV5mJQmbmNW

Score
10/10
quasarstormkittyoffice04collectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

51.89.204.80:4782

Mutex

65581c6d-14ba-4da9-86dd-ffd8304b8eb1

Attributes
  • encryption_key

    8C25D2F2D6CDE756BAFC0531B3B70446BFBAF003

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Uses browser remote debugging 2 TTPs 12 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Build.exe
    "C:\Users\Admin\AppData\Local\Temp\Build.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
      2⤵
      • Uses browser remote debugging
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffd535df208,0x7ffd535df214,0x7ffd535df220
        3⤵
          PID:3640
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2508,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:11
          3⤵
            PID:4632
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2632,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2628 /prefetch:13
            3⤵
              PID:2612
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2424,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:2
              3⤵
                PID:2768
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3596,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:2220
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3612,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:1644
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4100,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:3748
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4136,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:9
                3⤵
                • Uses browser remote debugging
                PID:4488
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4116,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:9
                3⤵
                • Uses browser remote debugging
                PID:4532
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4120,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:4008
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3864,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:14
                3⤵
                  PID:756
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5400,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
                  3⤵
                    PID:2364
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5536,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:14
                    3⤵
                      PID:4528
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3836,i,847179476670918207,17670220754391812265,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:14
                      3⤵
                        PID:3788
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Wi-Fi Discovery
                      PID:2428
                      • C:\Windows\SysWOW64\chcp.com
                        chcp 65001
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1508
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh wlan show profile
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        • System Network Configuration Discovery: Wi-Fi Discovery
                        PID:2832
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr All
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4452
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4444
                      • C:\Windows\SysWOW64\chcp.com
                        chcp 65001
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1112
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh wlan show networks mode=bssid
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1860
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                      2⤵
                      • Uses browser remote debugging
                      • Drops file in Windows directory
                      • Enumerates system info in registry
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      PID:2064
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6482dcf8,0x7ffd6482dd04,0x7ffd6482dd10
                        3⤵
                          PID:2360
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2008 /prefetch:2
                          3⤵
                            PID:2612
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1508,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2284 /prefetch:11
                            3⤵
                              PID:1744
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2420,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2768 /prefetch:13
                              3⤵
                                PID:2840
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3308,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3384 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:4684
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3404 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:2592
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4100,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4164 /prefetch:9
                                3⤵
                                • Uses browser remote debugging
                                PID:640
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4776,i,15378046046335115239,15581233307632805694,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4752 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:788
                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                            1⤵
                              PID:3332
                            • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                              1⤵
                                PID:4236

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Persistence

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Modify Authentication Process

                              1
                              T1556

                              Privilege Escalation

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Defense Evasion

                              Modify Authentication Process

                              1
                              T1556

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Modify Authentication Process

                              1
                              T1556

                              Steal Web Session Cookie

                              1
                              T1539

                              Unsecured Credentials

                              2
                              T1552

                              Credentials In Files

                              2
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              4
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              System Network Configuration Discovery

                              1
                              T1016

                              Wi-Fi Discovery

                              1
                              T1016.002

                              Lateral Movement

                              Collection

                              Data from Local System

                              2
                              T1005

                              Email Collection

                              1
                              T1114

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                79KB

                                MD5

                                d652f4f189d2f11f99e6294e0560561f

                                SHA1

                                c298bd110157f2dae25ba6df7cfa9b49dbd09d9f

                                SHA256

                                0a832ea22fb27f67dd64ac892a42c559dfa374c92189979eef086332a17e040e

                                SHA512

                                e9779ef90b3ad92c407f5511b5adaa4622f43ce1acb2587ca689c68146a60b3ebbf11618d706443f107d7c67dc570a294a8a271975de374446fe6acc1032da28

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                280B

                                MD5

                                d078e361e0ed3a9230b38d7f87140520

                                SHA1

                                235c905284ee451b6d19054ce804e8e02a4dceaa

                                SHA256

                                c568a7aab912809de985c73e6f662c91cf29ef7e6d91ef6a2ff03989f0894338

                                SHA512

                                79eac09b34e1b2274901e9114c16212b608d4ba2c8875e000b77b6cab80578e25ad5c8020ff0f32c4b57884c7bc41cc494b936b4154f5d922ebba3e6457ac9e7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                280B

                                MD5

                                ecf610ffadb6b05b729f1fb747c925ce

                                SHA1

                                552e136d3b35f6554388dbf3de27cc3f13aac1aa

                                SHA256

                                e60d57b0c686fee38e691bd9736e26c41a31f3f058f68c1176c0a71f8108abdd

                                SHA512

                                ac191b7ef1e260e052031443b9e97b79824c03ae79dc76639317c4f3c70c33ab7b3239cfcf38ae5ed803adf4bb011bb9a9973cb9ba1787b91de2c171cba803b5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                Filesize

                                69KB

                                MD5

                                164a788f50529fc93a6077e50675c617

                                SHA1

                                c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

                                SHA256

                                b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

                                SHA512

                                ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Filesize

                                28KB

                                MD5

                                625782a86b4cc5e6e252df68557753ed

                                SHA1

                                3d8df5f768f7216a2c763a4c4b2c909ab3b77d79

                                SHA256

                                abe689dc611218f1e8c2caf61a47978834b9a6c124a2995ebb0147d4d01825cc

                                SHA512

                                316afdb0623d4ff0470edb989c7cc2a28c2ed4c27452ef76ea154adbb7badd84fd6d32fe0ec50c7ecb3ddd7d07adda4d305117f4cc16fe468bcbe6bf3f9822ba

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                Filesize

                                3KB

                                MD5

                                cbe3fd729d4964fc6542ee442ff7e35e

                                SHA1

                                99948a52fda8e190f9f0d3db2c02e42829768aed

                                SHA256

                                532bfff73a7634989e8c8ae506e44c253264d424c6d6acff9f544ff072cc09d5

                                SHA512

                                358be431886a8564052576512d638fc4a053d5d4e2bed6a64f880d6eb6497a3304fc2693a784f28010449a76c34fcfb985c12762a65fca4e0f39ba8cc9aa8bc3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9c519646-5b85-4f87-b6f2-333835629ee0\index-dir\the-real-index
                                Filesize

                                648B

                                MD5

                                d21a2be874c90af5b420e3155151d550

                                SHA1

                                578e11824f72d87b5cfb9f98261e22a4ed5db1cc

                                SHA256

                                b16b2b4c516702a50002c3e7b1bcb2202e254c257eddaede1e024607f3d6330c

                                SHA512

                                77c65d79c7c6b8f3841c40b155eb40822dc4b1fa90ac453c764f915cc4926684905f55274034fdbb28fc0eebc7aa291d0f93b64f02207c0ce890b6dc94ae8869

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9c519646-5b85-4f87-b6f2-333835629ee0\index-dir\the-real-index~RFe57a095.TMP
                                Filesize

                                648B

                                MD5

                                5cbe0647f4166f3d98da5619731b8809

                                SHA1

                                3686f143ee4684a5e477d3e0b9806cae566f297b

                                SHA256

                                2501a9becaeb8c8739361b653f601893273bf7c9c2627e1d0fd296c98aeff8cf

                                SHA512

                                b926e808643ff5136a384834662ad35a6d8ff504199351c152db782099ccfa8534c448d99d1196d80f308919ec8ed2af3c282718abc38e70be7a708dd77785d8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
                                Filesize

                                13B

                                MD5

                                3e45022839c8def44fd96e24f29a9f4b

                                SHA1

                                c798352b5a0860f8edfd5c1589cf6e5842c5c226

                                SHA256

                                01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

                                SHA512

                                2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                6KB

                                MD5

                                79b57d303db3f4e87b186697ae64dfb7

                                SHA1

                                9b14480f94454374bb498c9bebad7c2401609375

                                SHA256

                                2e7a107a36b9e254b65963a2adb2101d59365deabebcc869077864a93e9c51ab

                                SHA512

                                d2e92568675c8f14412c8d5922a68cc4d1d389c1e8be40207464716b7906be1f940df224aab0e14af9a68e9365c2130cd298cc1e7b3fc3db4a89c5e28e3d729a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                7KB

                                MD5

                                61386334f335c9c8b2953dabac40efa3

                                SHA1

                                44028a2aa8d3ee5b1bf3ece457afdc8e07bf520b

                                SHA256

                                094fa9fa999e35e4c37d1f3cb38323477c2de80121248b5affcf749b7d968f7d

                                SHA512

                                98742e4c8493c39f73d348d45b4ab80740cda60085bd1433f61b44fdb56316a37c13175b352a9c3eb15ef6b730a473f2f3fc7c3dc349213a180c00ef2197dfd8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\212.102.63.147.zip
                                Filesize

                                418KB

                                MD5

                                f6e0ee399a43a5f192f1eeb6eb5b01ec

                                SHA1

                                01520fe574eeba198d34df619b7497d5ddcb950b

                                SHA256

                                08d95204e354a57309a0f0dfcaa6f3349d26d9aa3b267a5f97eb4f3844bb5f3e

                                SHA512

                                3114f5353b3b168d3a44134992a8965120fd9bd80c9fa8a3bf67a2541af6cd994d0f903832972d18c2a98b70cb7dce0efa909db7ba06b87e128f284eeff14629

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt
                                Filesize

                                81B

                                MD5

                                ea511fc534efd031f852fcf490b76104

                                SHA1

                                573e5fa397bc953df5422abbeb1a52bf94f7cf00

                                SHA256

                                e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

                                SHA512

                                f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt
                                Filesize

                                4KB

                                MD5

                                1e64d0bfdafe66144b193f2ff80ed669

                                SHA1

                                31409ecd4682143aa707c9c2bd0c1a148f7ce858

                                SHA256

                                eed799111c385dfe106827000b6c726ef33c77ba29c424efa773a9f5ed62ab51

                                SHA512

                                13e00abc28f177bb8ec8e3f23794a21c801643aea1b7bad70a26cee195dadb311f5e5db823aa1328b243c6a4e5ce8417b208eb7f82111a29ebce4665e46240a8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                Filesize

                                3.5MB

                                MD5

                                66306da795ed0e2ba7652f6749fe22cf

                                SHA1

                                48cc23bc7e9beb88f80073a07fe4948d9328df52

                                SHA256

                                3045c4c630d44383a7153d9d13e4cdaa3284095cb580627a9adb0b9e4033d9e3

                                SHA512

                                b81a382e7c5c02d22f90808781f6ce9a228805dbad8ac1ce58721d1c62f967ea8574bcaed412e87ec384eca8ead7315e8a8ae0ec5324938082cdfc22d5227d37

                                Download Submit

                              • memory/668-272-0x000000007458E000-0x000000007458F000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/668-0-0x000000007458E000-0x000000007458F000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/668-26-0x0000000007000000-0x000000000752C000-memory.dmp

                                Filesize

                                5.2MB

                                Download

                              • memory/668-1-0x0000000000410000-0x0000000000C10000-memory.dmp

                                Filesize

                                8.0MB

                                Download

                              • memory/668-2-0x00000000056A0000-0x00000000056B2000-memory.dmp

                                Filesize

                                72KB

                                Download

                              • memory/668-3-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/668-15-0x0000000006900000-0x0000000006AC2000-memory.dmp

                                Filesize

                                1.8MB

                                Download

                              • memory/668-465-0x0000000008180000-0x00000000081CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/668-464-0x0000000007BA0000-0x0000000007BC0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/668-360-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/668-197-0x0000000007580000-0x00000000075A2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/668-202-0x00000000075B0000-0x0000000007907000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/3128-85-0x0000000005500000-0x0000000005566000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3128-271-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3128-18-0x0000000000400000-0x0000000000558000-memory.dmp

                                Filesize

                                1.3MB

                                Download

                              • memory/3128-21-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3128-22-0x00000000056F0000-0x0000000005C96000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/3128-27-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3128-23-0x0000000005200000-0x0000000005292000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/3128-24-0x00000000051B0000-0x00000000051CA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/3128-25-0x0000000005430000-0x000000000543A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4616-17-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4616-16-0x0000000000CC0000-0x000000000104E000-memory.dmp

                                Filesize

                                3.6MB

                                Download

                              • memory/4616-20-0x0000000074580000-0x0000000074D31000-memory.dmp

                                Filesize

                                7.7MB

                                Download