61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31

Analysis

max time kernel
131s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2025, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

potphbksed.exe
Size

137KB
MD5

9d6c51f4f9e0132ea410b8db3c241be6
SHA1

8aa67a34b626f61e6ab053f8a51e7c5142865fe4
SHA256

61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31
SHA512

479dd4703e0b462d7c0cfee5bdcaed97d8888f6c1fb04aad6e6d1a098b5a61701dd19a2635c64cb4cc77038445e5e498fdf8af75d728e5a58988047d3c4e2790
SSDEEP

3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QLGu:KH8RuRLlzgUd6a/AslLGu

Score

8^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5332	chrome.exe
2056	chrome.exe
5988	chrome.exe
5268	chrome.exe
5020	chrome.exe
3256	msedge.exe
3388	msedge.exe
1884	msedge.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	potphbksed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	potphbksed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	potphbksed.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5512	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893224306485702"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe
4060	potphbksed.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
3256	msedge.exe
3256	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe
Token: SeShutdownPrivilege	5332	chrome.exe
Token: SeCreatePagefilePrivilege	5332	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
3256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 5332	4060	potphbksed.exe	79
PID 4060 wrote to memory of 5332	4060	potphbksed.exe	79
PID 5332 wrote to memory of 4408	5332	chrome.exe	80
PID 5332 wrote to memory of 4408	5332	chrome.exe	80
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 5236	5332	chrome.exe	81
PID 5332 wrote to memory of 3912	5332	chrome.exe	82
PID 5332 wrote to memory of 3912	5332	chrome.exe	82
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83
PID 5332 wrote to memory of 4772	5332	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\potphbksed.exe
"C:\Users\Admin\AppData\Local\Temp\potphbksed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98949dcf8,0x7ff98949dd04,0x7ff98949dd10
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1972 /prefetch:2
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2148,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2244 /prefetch:11
    3⤵
    PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2420,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2572 /prefetch:13
    3⤵
    PID:4772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4312,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4340 /prefetch:9
    3⤵
    - Uses browser remote debugging
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4932,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5300 /prefetch:14
    3⤵
    PID:3812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5408,i,2820019087689608577,1974774984456018444,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5432 /prefetch:14
    3⤵
    PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2ac,0x7ff988f7f208,0x7ff988f7f214,0x7ff988f7f220
    3⤵
    PID:6000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,2779502177228482624,7134069427616444945,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1868,i,2779502177228482624,7134069427616444945,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:11
    3⤵
    PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1780,i,2779502177228482624,7134069427616444945,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:13
    3⤵
    PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=1728,i,2779502177228482624,7134069427616444945,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=1680,i,2779502177228482624,7134069427616444945,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\lfcje" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5756
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 11
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5512

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
2703ca4046b012ecf3e448c9c620c5e1

SHA1
0dcbd0ab8d6b5b79e3c4e608a8c06ad7a2a80879

SHA256
4bef55be9371daa38ce28c1bb00ce6532eb7df65515fd5a6eeaf799c3cd364a5

SHA512
99f3268075356814680925eb5abe286bc5ec44a29daee9d77f6afe12a98f72fcc7aa0644f40f874451e1162760b5b36416a5ee75b1a11223551a5860e49b0347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
115d75549d1d4c83225300c3b4f4165a

SHA1
1c1fa74a01d59d83608b48075d3e4aa245d8b270

SHA256
f3e4ea158036d176b6f15cb287e181a28fde555384878f891dd0e6eef81a1086

SHA512
8db5d4e3afefd113df7e4c52232fb51cc76d32b18f3e1490814e2eb976d80e33ae156576ed5a7854b44070ac59bc8e578cb35e276bf1f5600a01b848b0fbfdb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
34d09b852bf4a5ef1d936591501926ca

SHA1
88ff0b1c2a5664765e11e47843a5ac8e1782ed0c

SHA256
52bd897dfdfca849d627b36a49b976eef861b1a7af075527c8f247adb862dc20

SHA512
dc63eebf94384dc9580f5e3c9291047e8d410f8fc1f746d180673f445a9bbe746608c01cbf10a38f2f935cfa5c8bb89864f87cabd8fece809dcaa1fa137f71d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\60f96cdb-14c3-421d-815c-7468d92ae6d0\index-dir\the-real-index

Filesize
3KB

MD5
d4556005d86fa4899264ce43190efdd0

SHA1
ac44856aa24481dc13d24112d5a5ef847293b825

SHA256
da1d4c1e352dc9f5b4e42ef7194e7a0d6be9335a43acf70ed58722fa77c893c7

SHA512
2f618a0887bcd369f47a9f6c5a38bf4ed44ade18234f7e9c80a2ce285c25c26bcd9f578b7ab3d7e34fa3fb51741df8a962229ccebbc7850e2f3d1063590f94f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\60f96cdb-14c3-421d-815c-7468d92ae6d0\index-dir\the-real-index~RFe57e167.TMP

Filesize
3KB

MD5
428c56acc398c47065fb0d235571fdb7

SHA1
f2927352a593b4ce8214eb4d9bfd53128385e6f3

SHA256
d2ae95b3ccd384ec2f4ac4207a5fb164211ad0b2b4cd928fbd7df43696591a9c

SHA512
c912a2179957b7b34d2941e4f85dfdfb114b39879356dd0b2ec7903890d9725d271809b0fcabdba3876637fa199e09c7001bfdf248f76b7ef17f871979a96f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
84cfb53a42aa822dde26096ea58067e4

SHA1
f11d37cedf5636acbf1fbed19db1f30c4cb07329

SHA256
966e7cf91dfc88aee3cf2c5d4e8fcc22152f6066be6555f4fc98a21cc96f4325

SHA512
3a2873364dc18d3bfbddc2083d485913bf19eded72741315cf2eae1c5371e177e135f9381eab24743839d7f2a0d0af93b03f3ae48e16f564159749a2bf2dea50

Download Submit