stormkitty | a85e8c61034ea02087bc33b5f41b37ec25486612b3b5ddf8413f3abe6579d6f5

Analysis

max time kernel
64s
max time network
131s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberV12/Resources/ww.exe
Size

59KB
MD5

21d2cd5e50a4fea2868725cbf2bd43dd
SHA1

2eede1b89427f9cf5b9c144f9ab2cac79439e029
SHA256

809236959232884def77d8da2aa283a8ad4c77824932cd06a4188a21a6581bc3
SHA512

1eacde6ef8c47fe8f6b1d6b8479453fbddd4531fb4dc3bec83eaaa261b5ae3ed963c6d862b4e92862aefa4bc069c5a190390df6edfdfded69e0778651c1bfca8
SSDEEP

768:bv8q4lFep7sfOCROyzDxEQK76Yt5Qb7jTIajt9K0fZOv11yL6N9gE5WHpGV:Dt4lffROyzECZ41yLg9gEgJS

Score

10^/10

stormkitty spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral11/memory/1624-0-0x0000000001340000-0x0000000001356000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com
7	discord.com
8	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ww.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ww.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ww.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	ww.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	chrome.exe
856	chrome.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	ww.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 240	1624	ww.exe	29
PID 1624 wrote to memory of 240	1624	ww.exe	29
PID 1624 wrote to memory of 240	1624	ww.exe	29
PID 240 wrote to memory of 2412	240	cmd.exe	31
PID 240 wrote to memory of 2412	240	cmd.exe	31
PID 240 wrote to memory of 2412	240	cmd.exe	31
PID 240 wrote to memory of 3044	240	cmd.exe	32
PID 240 wrote to memory of 3044	240	cmd.exe	32
PID 240 wrote to memory of 3044	240	cmd.exe	32
PID 240 wrote to memory of 2216	240	cmd.exe	33
PID 240 wrote to memory of 2216	240	cmd.exe	33
PID 240 wrote to memory of 2216	240	cmd.exe	33
PID 1624 wrote to memory of 1596	1624	ww.exe	34
PID 1624 wrote to memory of 1596	1624	ww.exe	34
PID 1624 wrote to memory of 1596	1624	ww.exe	34
PID 1596 wrote to memory of 1388	1596	cmd.exe	36
PID 1596 wrote to memory of 1388	1596	cmd.exe	36
PID 1596 wrote to memory of 1388	1596	cmd.exe	36
PID 1596 wrote to memory of 2340	1596	cmd.exe	37
PID 1596 wrote to memory of 2340	1596	cmd.exe	37
PID 1596 wrote to memory of 2340	1596	cmd.exe	37
PID 1596 wrote to memory of 2612	1596	cmd.exe	38
PID 1596 wrote to memory of 2612	1596	cmd.exe	38
PID 1596 wrote to memory of 2612	1596	cmd.exe	38
PID 856 wrote to memory of 1336	856	chrome.exe	43
PID 856 wrote to memory of 1336	856	chrome.exe	43
PID 856 wrote to memory of 1336	856	chrome.exe	43
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44
PID 856 wrote to memory of 2080	856	chrome.exe	44

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2412
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3044
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1388
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    PID:2340
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7739758,0x7fef7739768,0x7fef7739778
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2840 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:2
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1312 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3852 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2652 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1408 --field-trial-handle=1300,i,6488950397274771865,10139525053487226638,131072 /prefetch:1
  2⤵
  PID:2516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f28ca5bd591a241f4b70646773803598

SHA1
446418c218df41ab7ae751d28bc0977fedbb5f95

SHA256
288cb2a11166ecb8fc285a27aee21c8ec5239d9d16c15e81cc858a1ecbf9597f

SHA512
4b92204e011be7cb05d0ef7d79c7ee4c2a941590f4253035c48f208e6cfc1ecd7c3d3df70c4c4421375967ea440a4e3b565b6b86a7154578dde89932d63681a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cfd4f20daf913cc908c6d49a0b80d33

SHA1
3364a2c3dd00c4452b835421d6b2ffa266f85390

SHA256
2181b67f8fe5f7b31db0e7e2eeef408282a09d36ec64430d6c709376f5bc844b

SHA512
8ee596c18affa16c60fb4fd8aa8bd11f7dcb7a7bf24816d5f06bd6d298f9da734f20ffc64babbf5c6f54340bd995752fe5c69d687de2d69d7d2478c8edaa7940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c45c576d8750acb22883f915797b276a

SHA1
2c7fa847d71781abad2ccdec78ee7fc61b70e2f0

SHA256
d7d36525b7492fad8e6fce9d35bf88761ee15e3a6b1f7f193d1c6ed2fafaef9d

SHA512
309fda4020267aef42cb27c5384aa895e648cf226225bc64b9a291dbab4e2c19a350b18423e43bc4a9a3c34783eb4125e6c7a5d06a50aeee8db23f9e8d206630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
637ce348e14ccbe10c37df28d0f53a38

SHA1
da89a2dad0f5abf9e8c66caa09e52784de3ab39a

SHA256
a0893ee7246916c7ad30a0dca52514c01df23a8fd80f60fb715c0ba716644ec5

SHA512
f92b80316c68160d18fadb250223d0676f02a3b539bc5371ea6c0bb8fca00012a144a85553f06326b13e76d872833ee404b70d743ff77233eefaa14ea795a3a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b696b42233569a6231cfd81e5d97c05b

SHA1
2441527a5f61b188d9cbad1df93c793df4550de4

SHA256
e27ceb7fe9e80505e4c6213dd88a5b71181e74a20f5188df43863a1be4d2f2e5

SHA512
0ffcc066713721466c235a50f2275694e2fb2a3f55bfe9fe61a934f8a94c0d7b22eff2ce80881f5384e63adc5de77f51420d8aafc243d0f960fccff24628314a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
f5f36437ff9a88ca05eedaec8ceb4e69

SHA1
9efbc15ce9216b1edf342b8a9b9a451505aa7283

SHA256
8ac633dd4ef60d625ac510f054e9847f8a4a585634901c02882f2a69e4ae7d38

SHA512
b25f6edc19ef233c0dc3c77e3ddc8488822832a8a8f333098bec958e2793139a810c4a779db3e366ba813d1e51fcdd9ff341c979b4210f99b5de769a7b56f119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
088151efb6bdce36666302a81689d060

SHA1
e34852ebcf10cecabf9a191139667a04baf87424

SHA256
c9b06be7be34f28c8314d68e28ad99e451e422e43b93f31d08c6f3d0f0832460

SHA512
8f1a04a7dfc4bc937deb0b3a2edb328e0067afdff96ce2d5b15cf99d0d1181d83d3b305de44bb6c008e8e462a12e5895f4ecd0e314ff76b20c5ffef817de11e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
e7424bedf144c030972753e7a19a1b84

SHA1
5141d7a989119cec79fc5635d3128adea163d21b

SHA256
cfadf1c804a39f5acc861cc56ba48b7cf410c8505b79b4209b4e4d16b7d8766f

SHA512
3b1322898e918f5255e662f3b2e92f630c3a6bf4ccb7855a5430a7aade28d1a0dda15c5fa3150f2130c2dfb0d6a461cdaa09deb45cc22e32deb3a8940a8e00b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
61a56ede59a21762333fed11cb3f7ab9

SHA1
f385328867a1e478cc2eece534b6ea270bd11075

SHA256
e72b26f627f75fdb4f0e92fa62bb7f8b585b179d6ff4b4f10c9cd940c28df99a

SHA512
ca58a3d16e59c6fddcdec300fd6939a52c9fa7904012b43c4c2ebe2ade8c4e504705f144d4210ee9d046d9a11440e04eed8f3165bb05a334b18e2f8da5c785cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
93f1abfe178cc0154cbbd25287eca7b3

SHA1
47392848e6d021df28ea28059da316fe62af3120

SHA256
81b5568d33dd9e67ef9d6a7b20620ad65cd42d72e85c2c93aa4706ca652f8f72

SHA512
b972a6976282e1b81587adffe4f8e4160242050dec05a6573f51649c5ac80eae73af1655019b5bbe9f364995915cd84dca7a85f6353818f4e4ad10c1285cc799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ded29eff-c987-4dda-9474-ed43f7afe1fa.tmp

Filesize
6KB

MD5
d35cb0e13909f590ce931a0e42bd95e0

SHA1
bfb813ced29207ed5965d8a696c751b4ada11db6

SHA256
0b36f0897a77899b9d9da57f41fd5c27412f65c44aa4687690ee4cfefe71dda2

SHA512
ba875538178d6792c68c9536463cb1e3a7b959d05e88e2dab43ee2f89656da457681d9ed6134cccaae294bd9cd2d357ba19321afb630cda8918512f9eaec5ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
e98fd5183668c837699916b0ea99224f

SHA1
4f86e09c97983121439400489d4752905d68770a

SHA256
0ff75e6c46d7fe8d07a5f3a37bb5fa0ba5a750a68a98efd24c2414f32863547c

SHA512
6747aa3698553b0962882a9c7569dd522eff0522daa95dd924c8dda34a1fd747fef8efea7c309b62b93a2f5d5790cb27849039e4c097db7f48ec9e77211aa6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3653.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
memory/1624-2-0x000000001B0E0000-0x000000001B160000-memory.dmp

Filesize
512KB

Download
memory/1624-3-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1624-4-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1624-1-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-0-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/1624-63-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download