sectoprat | 0c5359f0bf2662aec517a172d5aea118face4ea4313d23a91c9e8d4a0855f3ea

Analysis

max time kernel
143s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
01/04/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GmRemote.exe
Size

465.5MB
MD5

8a8dd3810500ea0c1192ad5545193355
SHA1

e0fd714e9f56d08318805fb3106a9a22baca8be7
SHA256

03666f205e2c97737a5a15f8aff965a7b3728d684927568583db28957efd6b3d
SHA512

05a882c14ae5723fcfe99379f662827d9897ef27689f82f02e323b1f9cb134ed27e0ac73faeab4c271dc9369376535e04f772edfbdb0f96d27b04e275977cafb
SSDEEP

98304:MtrXE3k1Mol2a/d3hZmSHJLJfERO4bMBX0VgKDrY7R:R3W/d3qmJNfEAAMBXl7

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1828-1393-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2412 created 3280	2412	CasPol.exe	52

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5004	chrome.exe
1052	chrome.exe
1860	msedge.exe
4640	msedge.exe
4488	msedge.exe
5612	chrome.exe
4736	chrome.exe
4348	chrome.exe
1036	chrome.exe
3412	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
1828	CasPol.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	CasPol.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\SOFTWARE\Avira\Security\UserInterface	GmRemote.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\SOFTWARE\Avira\Security	GmRemote.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Avira	GmRemote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security	GmRemote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security	GmRemote.exe
Key queried	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Avira	GmRemote.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Avira\Security	GmRemote.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2412	1520	GmRemote.exe	85
PID 2412 set thread context of 1828	2412	CasPol.exe	88
PID 1520 set thread context of 3828	1520	GmRemote.exe	86

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
2412	CasPol.exe
2412	CasPol.exe
2412	CasPol.exe
2412	CasPol.exe
2412	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
3828	gpupdate.exe
3828	gpupdate.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
5612	chrome.exe
5612	chrome.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe
1828	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	CasPol.exe
Token: SeDebugPrivilege	2412	CasPol.exe
Token: SeDebugPrivilege	1828	CasPol.exe
Token: SeShutdownPrivilege	5612	chrome.exe
Token: SeCreatePagefilePrivilege	5612	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
5612	chrome.exe
3412	msedge.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe
1520	GmRemote.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2412	1520	GmRemote.exe	85
PID 1520 wrote to memory of 2412	1520	GmRemote.exe	85
PID 1520 wrote to memory of 2412	1520	GmRemote.exe	85
PID 1520 wrote to memory of 2412	1520	GmRemote.exe	85
PID 1520 wrote to memory of 2412	1520	GmRemote.exe	85
PID 1520 wrote to memory of 3828	1520	GmRemote.exe	86
PID 1520 wrote to memory of 3828	1520	GmRemote.exe	86
PID 1520 wrote to memory of 3828	1520	GmRemote.exe	86
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 2412 wrote to memory of 1828	2412	CasPol.exe	88
PID 1520 wrote to memory of 3828	1520	GmRemote.exe	86
PID 1828 wrote to memory of 5612	1828	CasPol.exe	97
PID 1828 wrote to memory of 5612	1828	CasPol.exe	97
PID 5612 wrote to memory of 2724	5612	chrome.exe	98
PID 5612 wrote to memory of 2724	5612	chrome.exe	98
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 4204	5612	chrome.exe	99
PID 5612 wrote to memory of 5292	5612	chrome.exe	100
PID 5612 wrote to memory of 5292	5612	chrome.exe	100
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101
PID 5612 wrote to memory of 5068	5612	chrome.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\GmRemote.exe
  "C:\Users\Admin\AppData\Local\Temp\GmRemote.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
    C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
- - C:\Windows\SysWOW64\gpupdate.exe
    C:\Windows\SysWOW64\gpupdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
  "C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8722 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5612
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa85dcdcf8,0x7ffa85dcdd04,0x7ffa85dcdd10
      4⤵
      PID:2724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1960 /prefetch:2
      4⤵
      PID:4204
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2264,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2268 /prefetch:11
      4⤵
      PID:5292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2308,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2792 /prefetch:13
      4⤵
      PID:5068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8722 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3084 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8722 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8722 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4472 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1036
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8722 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4480,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4500 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:4348
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8722 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4964,i,15726752251808362125,708909689256149994,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9067 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x268,0x7ffa76adf208,0x7ffa76adf214,0x7ffa76adf220
      4⤵
      PID:2852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:11
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2544,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:13
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9067 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9067 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=9067 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4860,i,9647943783842425888,4076621442679831578,262144 --variations-seed-version --mojo-platform-channel-handle=4876 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:4488

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
3f515df95797ea4f3897ec789b39752c

SHA1
6b6e04e480849cd4cd47beb0524ebd0069486152

SHA256
7cd4d52264d2be6b5930ffa7536237170e31eef979fb4ed569f3432e968d8fdb

SHA512
5c21c771712680d4a6e548668ad66b2996acdc8574f0c94afbfe0ead809c2a41becb47eb66ecfdf26bc21e0b41a540d69c763ed1e7f925b69897b6181e338b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
92b7f6fd4f1e15a4de2b544e077fd8cf

SHA1
d0675865973ca5f5dab48f4efaca9636e177eae4

SHA256
8fefb432fa005ace911ef33f3b73f5c4dffbc2bb15d97361f9233847401cac73

SHA512
a535e57e5af0a8e8a8a6915c042d7aee2ab835b9531b8dafe041eecaa64ea95a6dba80aa9bc1ac7fa9e12c84235d6fd8546f53b0f8b3ab1a06fc349cdcdccbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
34KB

MD5
9329763ec14ea155da263fc7aace83fd

SHA1
bc79b883f5d262878f9f1883e86c6eacf5b36181

SHA256
b577127e79def18e6b402ba37943f2ec18b43cbd638877f1e2c8dbd0e7e07531

SHA512
8591100f35a6c9241c1c54e26ed851c2bd4c51bdc5a07fcfdc312f92c8080d0063e2aec5ec8d226fc7f6135149d06b76cd26408e41bf81851e02fa1d8c845771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index

Filesize
1KB

MD5
7150bfeca77445ff4e079c592d08a3ba

SHA1
484e2d31bd698294dbe1adbb493eeb74a683b4ad

SHA256
dd97d129d504749d22cab49f002793e9514d11c2ed73124bfb47deaf0fd2d30b

SHA512
105c7236f635545d4e866db76501ec9fbb5cabb7d033fa7bbb1d0d93a7ebd25d40b5528c45e34e5f8690618319bda79c662d56b5574d7301cd690121b84ab2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\28dacc6d-8082-4aba-9cb9-067408b474cf\index-dir\the-real-index~RFe5836bb.TMP

Filesize
1KB

MD5
e5f753aca4326f9bfce2e25026128ecd

SHA1
498fb4bcc88aec98a1e2fb60a5b1ed62f409bb3e

SHA256
ed921ad8f1d505f7f27d232ffe0ee5fdf31d8e50135663187cceed58062b2f68

SHA512
69b3cf63e27274f7284ecacdc84ef04012d14e553d16b9e13fcfc1656b7148e8c683a2d5928b42a75c834c2d35462ae4ce7d58e371d834a4c19d5eedb8d24f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
a42cb4f9a29dc1f45a582c84ba8b6a7e

SHA1
9a291ec651fa47ccc4e6850d61a75e3e9ad0841b

SHA256
589ddd25140457e4de9c07242f636cf9690b8aa56b7d66e2b67e1f532d6f3ac0

SHA512
e156020378781721d72e3749e728003f135fdc50a04957c99b0bb2d92c57605dd671137560d700334f95292174cebc96cd7daa09bc6289935b7a178857289a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe

Filesize
99KB

MD5
f61fa5ce25f885a9b1f549055c9911ed

SHA1
aba1c035b06017b0b0bd1c712669646e4f3765ab

SHA256
57e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb

SHA512
02e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8050516

Filesize
2.8MB

MD5
9f2b0e4d218442927581577f52997f8d

SHA1
ab74e08d3a230260a545036c4ab423db1e4746e8

SHA256
47d20fa8d26cd6659bdcd45bce3a2666706d1e0b52b69ee023b58ac7e61bd936

SHA512
4f7db2f85793056884876be3506710833c2bed20b0fb0d13db0e347f28b4935fa20b1d5968b63f9877ea473aed6c8bf28dc91af0cacaeee43d63f31a87e44e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb379d0d

Filesize
2.7MB

MD5
42d2e6544b5c18a49dcf1716e2409944

SHA1
cbabf5a8f45156087756b91cc0e0bc44a840f8ce

SHA256
78a3a8d1b364ce715b86a8d5697ddf7ad7c12e7bf839b366425bdfd2360f58a2

SHA512
b8377e390098163954fea278bc80e37a5cfc400f28435d5f8564ad92ed5a9dce3fc52dd64c47f9668715cd99a2e134f16acc1a6a0c4bf96a1187577dff61c507

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb379d0d

Filesize
2.7MB

MD5
11d973090af6cd130a6dc2456cdf003c

SHA1
5c20163489dec6da2da3068badb3e236489ae6b1

SHA256
6afde373d37d64bd26335aa6110c03f8cbe482a67f4a981094844cfd43acf0e8

SHA512
ce91636efc336992ce7d131931999a6ff039f32db66fa03fe92e520fe8c84c0d2b91ba515837fe5ab96f585b7760f5e12d56612828f7b3d9199073514e0b8ee8

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
38fe95c51fd82f2ccc6bf16649686e3e

SHA1
1c5440ce2a6ac0544b7c6e6bb83c16c3da6982b7

SHA256
4e3492b87336d65a85561eeebcd1b46da590ef1395ad4f404d76f9cfa681bbb5

SHA512
17981507e9ceff5ce8009b33cdf204c0f9b1ef59bda0c2b22bbf2b0368dca776a3123d8bdaa755c132438c48263e0ed5443307504d21e911ad43e32d2ce0e9e2

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/1520-17-0x0000000074DD0000-0x0000000074E1F000-memory.dmp

Filesize
316KB

Download
memory/1520-21-0x0000000074DE4000-0x0000000074DE6000-memory.dmp

Filesize
8KB

Download
memory/1520-564-0x0000000074DD0000-0x0000000074E1F000-memory.dmp

Filesize
316KB

Download
memory/1520-12-0x0000000074DD0000-0x0000000074E1F000-memory.dmp

Filesize
316KB

Download
memory/1520-10-0x0000000074DE4000-0x0000000074DE6000-memory.dmp

Filesize
8KB

Download
memory/1520-7-0x00007FFA97A00000-0x00007FFA97C09000-memory.dmp

Filesize
2.0MB

Download
memory/1520-0-0x0000000000E50000-0x00000000012C9000-memory.dmp

Filesize
4.5MB

Download
memory/1520-6-0x0000000074DD0000-0x0000000074E1F000-memory.dmp

Filesize
316KB

Download
memory/1828-1412-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/1828-1415-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/1828-1416-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/1828-1407-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

Filesize
40KB

Download
memory/1828-1399-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1828-1398-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/1828-1397-0x00000000065C0000-0x0000000006AEC000-memory.dmp

Filesize
5.2MB

Download
memory/1828-1396-0x00000000059D0000-0x0000000005A46000-memory.dmp

Filesize
472KB

Download
memory/1828-1394-0x00000000052B0000-0x0000000005300000-memory.dmp

Filesize
320KB

Download
memory/1828-1395-0x0000000005700000-0x00000000058C2000-memory.dmp

Filesize
1.8MB

Download
memory/1828-1393-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1828-1391-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-37-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-1385-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-79-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-77-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-76-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-71-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-69-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-67-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-66-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-83-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-73-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-57-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-55-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-53-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-85-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-1368-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1369-0x0000000006370000-0x0000000006438000-memory.dmp

Filesize
800KB

Download
memory/2412-1370-0x0000000006590000-0x0000000006656000-memory.dmp

Filesize
792KB

Download
memory/2412-1371-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/2412-1373-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1372-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1374-0x0000000006F50000-0x0000000006FA4000-memory.dmp

Filesize
336KB

Download
memory/2412-1377-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1378-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1383-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1382-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1381-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1380-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-1386-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-81-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-1392-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-87-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-61-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-1390-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-59-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-63-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-30-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-49-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-51-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-35-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-39-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-41-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-43-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-45-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-47-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-31-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-33-0x0000000005F70000-0x00000000060DB000-memory.dmp

Filesize
1.4MB

Download
memory/2412-29-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/2412-28-0x0000000006690000-0x0000000006C36000-memory.dmp

Filesize
5.6MB

Download
memory/2412-27-0x0000000005F70000-0x00000000060E0000-memory.dmp

Filesize
1.4MB

Download
memory/2412-26-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-25-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-24-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-23-0x0000000005810000-0x00000000059AC000-memory.dmp

Filesize
1.6MB

Download
memory/2412-22-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-20-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-19-0x0000000076C10000-0x0000000076D00000-memory.dmp

Filesize
960KB

Download
memory/2412-18-0x0000000076C26000-0x0000000076C27000-memory.dmp

Filesize
4KB

Download
memory/2412-13-0x0000000074A50000-0x0000000074D03000-memory.dmp

Filesize
2.7MB

Download