stealerium | 9a6b55d533c291f4b8706630f55663db1a11b2a1af3bf536b4a2abfa9761633e

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

1.6MB
MD5

03c0235c09b30b61f40fbb65d5bee883
SHA1

31d971d0fc6293ad67a0c84ea88d0e7e15c4ce29
SHA256

9a6b55d533c291f4b8706630f55663db1a11b2a1af3bf536b4a2abfa9761633e
SHA512

454288409757bc72c4b66ab66de02cb3d8559c1fdabac032885752819560f2d4c968674aca85ffa6430addd5a9fbfa12cb80cf9f131dcefb09c343eddafff540
SSDEEP

49152:DcTq24GjdGSiqkqXfd+/9AqYanieKdYX:D9EjdGSiqkqXf0FLYW

Score

10^/10

stealerium collection spyware stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1234145797856038953/Qx5Y46YXxYE_v9-5-5iTyAlkR-pe2Cn2DAdNinRgP7FgwC51wV8RMBhojwvQHc9imqqi

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 discord.com
5 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 icanhazip.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 2912 WerFault.exe build.exe

flow	ioc
4	discord.com
5	discord.com

flow	ioc
11	icanhazip.com

pid	pid_target	process	target process
1628	2912	WerFault.exe	build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

build.exechrome.exe

pid process

2912 build.exe
2912 build.exe
2912 build.exe
1232 chrome.exe
1232 chrome.exe
1232 chrome.exe
1232 chrome.exe

pid	process
2912	build.exe
2912	build.exe
2912	build.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

build.exemsiexec.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2912	build.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

build.execmd.exechrome.exe

description	pid	process	target process
PID 2912 wrote to memory of 2816	2912	build.exe	cmd.exe
PID 2912 wrote to memory of 2816	2912	build.exe	cmd.exe
PID 2912 wrote to memory of 2816	2912	build.exe	cmd.exe
PID 2912 wrote to memory of 2816	2912	build.exe	cmd.exe
PID 2816 wrote to memory of 2068	2816	cmd.exe	chcp.com
PID 2816 wrote to memory of 2068	2816	cmd.exe	chcp.com
PID 2816 wrote to memory of 2068	2816	cmd.exe	chcp.com
PID 2816 wrote to memory of 2068	2816	cmd.exe	chcp.com
PID 2912 wrote to memory of 1628	2912	build.exe	WerFault.exe
PID 2912 wrote to memory of 1628	2912	build.exe	WerFault.exe
PID 2912 wrote to memory of 1628	2912	build.exe	WerFault.exe
PID 2912 wrote to memory of 1628	2912	build.exe	WerFault.exe
PID 2816 wrote to memory of 1204	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 1204	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 1204	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 1204	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 1748	2816	cmd.exe	findstr.exe
PID 2816 wrote to memory of 1748	2816	cmd.exe	findstr.exe
PID 2816 wrote to memory of 1748	2816	cmd.exe	findstr.exe
PID 2816 wrote to memory of 1748	2816	cmd.exe	findstr.exe
PID 1232 wrote to memory of 1108	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1108	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1108	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 1084	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 2140	1232	chrome.exe	chrome.exe
PID 1232 wrote to memory of 2140	1232	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2068

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:1204

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2764
2⤵
- Program crash
PID:1628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6979758,0x7fef6979768,0x7fef6979778
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:2
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:8
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:8
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1912 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:1
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2848 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:2
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:1
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3716 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:8
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3880 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:1
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4080 --field-trial-handle=1152,i,607579183219602819,17331143519664572213,131072 /prefetch:1
2⤵
PID:2444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6979758,0x7fef6979768,0x7fef6979778
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6a0ff72496a67227b979f5fa64cb68e7

SHA1
a219dd1760653dcbecf80b70c81a1c019b69d58a

SHA256
468c38d7b636c18c91f5d9fb4fbe8826e906fca161922f0d4812961a95e01070

SHA512
af0028ab08abab9de694d9465911dda0db2b357271427bf1922a7b9373f6953ed5e31fdab883302a33dad757e36e39215a413cfb8b7d9352183432cef874191b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
d49a8657249845a20f8f16c90ce63dea

SHA1
c225a701fbb2e94505e049f06f3da1cd4e77f8b2

SHA256
2e233a55d4f6881470f9c70c0de8ab3f999ff3cdc60a8c71175bf5ffd5717754

SHA512
d390febed0f19c7e852624176afe11def33e6b0ac6dafb3170a529abee03fbae1d1e6d6a95b763c7e8ab56a6a958510bb42da7722acd2d7356ab3db2be70f68a

Download Submit
C:\Users\Admin\AppData\Local\9e0e49e24bb173ede9f356f705ffba3f\Admin@SCFGBRBT_en-US\System\Debug.txt
Filesize
293B

MD5
22bfb45c77f6604203c22d045e389715

SHA1
1186be114586923912c537431d6d0181237a4342

SHA256
72130c3172278d8d7e50abb38d544d67f39a3a94e40f46e1d51c9fb5fff4a371

SHA512
9af9fd90fe3c3149f5341209b1ecec847f7a4d9303f09b6ef0f8f4a2aa967fe0b989b7410207aa7c43ae60d2bd3c1d3d144d26b99bfd75c7d80caafd5cb63b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
cc224701d3988dd5549f5d4adbf10fe4

SHA1
bf7837f102c82b785f087208d907c86f3de96bb4

SHA256
ab4b477c15da3d33fd048de6a07bc97f38cb55f647a7cbb9c39ccbe56e18cb21

SHA512
da48b8a59c7a8434d277f18dff52557066aea503d889b4c06a840e0412afc0732ad8958a95f5d14d92b7cbf503ae0d1a32c5da87027c5df69591e85a973724d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8d04062cbb02cb52e1f80ef5822fc610

SHA1
6a610d4f0bbc9c102c5ae0dd5a40f90eff771396

SHA256
168d17e307758544ad33df4c4b2cc1df210618d63a2d3f76de06ff0c096def44

SHA512
1efbe13d2ddc17b8a4af896b564fa12ad597566b3ed815818c6cf00d74fb65907ae32544df6d5e8f4a5403cec170789f07eae9c6f55ae7d90bc7f43529a1d966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e7bb24d599ee3a041e5f3e7f271e63f6

SHA1
222f6bc231b649d05db8b64b7d4b6398b5087e13

SHA256
ff6bf86554bced0b33096869268cdcec40d86fbae8ef55129fac043b9fd5f128

SHA512
d100b89769299bc8f5b9d4d108f5229d7c318965815c393c3930d16f50e3ec906ee97a37b21f269362234fb2b81d0def682d4b5eb5ae97840c1b8167af3a184c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ff2db8220e37dd522fb788975e7cae77

SHA1
76a97b1d5579ce1354af229e5f1e7fab6dc025fd

SHA256
d5867e6d68e1901707137ef38c7d022734e85367209fe1505a0d6293412d6a21

SHA512
640eda59d57ce637540a31d7fc3720634252dceb918a4315104c891698ade826642cecf09001a095924b8370c8ab49f9bcf29d28eb7acc5e2d3b64a23c683241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5d835c491df7753880a9deb4e9934742

SHA1
245a3088bf9b798f03d385fb53c781737fc4646c

SHA256
be403e2b2dde02e6b8bb35b9e441a56f6e00c3c32b441e51b119b4de5d616b57

SHA512
b61e665b2585d58a5d2815c37cd2cc4634822a750aec679bb83c22056ce84b11e49ee1cfdfdad4a1816872f6de5a5a5f9d8db38be149527cc94f402bddb58bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23EA.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\??\pipe\crashpad_1232_CTTUUABDLIUGASWH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2912-2-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/2912-5-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/2912-1-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-6-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2912-205-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-0-0x0000000000B90000-0x0000000000D24000-memory.dmp

Filesize
1.6MB

Download
memory/2912-220-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/2912-223-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-7-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2912-46-0x00000000009D0000-0x00000000009EE000-memory.dmp

Filesize
120KB

Download
memory/2912-45-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2912-44-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download