stealerium | bfb2d2414f60614e012a7332d4a6606588d8add0e927516d17d45cafe2119338

Analysis

max time kernel
86s
max time network
212s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

1.6MB
MD5

90ef1657375602c233da4ce1a9ca8a6f
SHA1

556b3e441b7a754a70918d5a826b7b570437cc10
SHA256

bfb2d2414f60614e012a7332d4a6606588d8add0e927516d17d45cafe2119338
SHA512

11ba8a5606b818e837415649e94231bc2fedf94a58aa8ae4b8b44b0eef3e23ab8a621894aaa5a2ef76a278724eb9c8a823e2fa27b373b10d99e99c2618c3e77e
SSDEEP

24576:ni2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLrd:iTq24GjdGSiqkqXfd+/9AqYanieKd

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

Prueba

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 discord.com
5 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1660 timeout.exe

flow	ioc
4	discord.com
5	discord.com

pid	process
1660	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

528 taskkill.exe

pid	process
528	taskkill.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

build.exetaskmgr.exechrome.exe

pid	process
2804	build.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
764	chrome.exe
764	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1960 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

build.exetaskkill.exetaskmgr.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2804	build.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	1960	taskmgr.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

build.execmd.exechrome.exe

description	pid	process	target process
PID 2804 wrote to memory of 2856	2804	build.exe	cmd.exe
PID 2804 wrote to memory of 2856	2804	build.exe	cmd.exe
PID 2804 wrote to memory of 2856	2804	build.exe	cmd.exe
PID 2804 wrote to memory of 2856	2804	build.exe	cmd.exe
PID 2856 wrote to memory of 2784	2856	cmd.exe	chcp.com
PID 2856 wrote to memory of 2784	2856	cmd.exe	chcp.com
PID 2856 wrote to memory of 2784	2856	cmd.exe	chcp.com
PID 2856 wrote to memory of 2784	2856	cmd.exe	chcp.com
PID 2856 wrote to memory of 528	2856	cmd.exe	taskkill.exe
PID 2856 wrote to memory of 528	2856	cmd.exe	taskkill.exe
PID 2856 wrote to memory of 528	2856	cmd.exe	taskkill.exe
PID 2856 wrote to memory of 528	2856	cmd.exe	taskkill.exe
PID 2856 wrote to memory of 1660	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 1660	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 1660	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 1660	2856	cmd.exe	timeout.exe
PID 764 wrote to memory of 884	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 884	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 884	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2720	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2256	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2256	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2256	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2648	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2648	764	chrome.exe	chrome.exe
PID 764 wrote to memory of 2648	764	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2784

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2804
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2184

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef59f9758,0x7fef59f9768,0x7fef59f9778
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:2
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2372 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2392 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1176 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:2
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1440 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fc37688,0x13fc37698,0x13fc376a8
3⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3904 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2788 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2188 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2652 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3784 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3020 --field-trial-handle=1420,i,251652449831024165,7141917578396784896,131072 /prefetch:1
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0804b4884bbc46119a0b9f3cd3da0569

SHA1
a26420e12e780d3e4006af4c9a02fa50b32d398c

SHA256
65b152318bbe27c7a6953cd12b802f5a93cd870b17458ea153c5be3f3c3f0941

SHA512
653892620548623e0a55d8304575df7fc5839f5b33f7648b150a4cff67d151a52830d343ab059f921f9873329cf8362153dc907d4b6be98e920a00bdec18631e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
f25e5065f50668bd38dd605abdccee2e

SHA1
45c380e6485fd0a6f5a33d177b993d0c2a953d66

SHA256
258e95657d3b62c49bfa342d20d65033a2e69082298e4970502408ce3eb9ca66

SHA512
8966784c59da7bb3730ebfa1a565ccb22eaa757ca2825f1ffddcad751f15025361f7832bd4ac92b82c6c707c804be951a5b2c9cb1a04dbadb12d3391c9e7520f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
8477790d74cedaa8c53659d6e5d522f9

SHA1
c45786231e0fa505de936dfaaf5ee56085ca3a7e

SHA256
1eb0d902ecb9d50f113831a885f203846fb213cee905fb245a3c87cb2d4857e8

SHA512
cd405a829cabb4638636738523b11b49c12efe19d64e28a96ef98b06a5b56cee61817a4188c077aaa085b2251a3850b6b3421ea5326740bd4ba4c8fe1f26ce3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
829ff3b367651a0193008874d0804f62

SHA1
02aeef76408e9f9d566a7bfca626c5c42d5f6cd8

SHA256
6a5c591851907dde05dabbc617761fc14a46d60908811cb8ac360bd15bc3382f

SHA512
7b1ef8e77688f9202e4ca29f0d0b848029f1d6b1588c30de10a524f11df1520a85e022dd8525928647dd10faf25334beaf6f24691a39d1e2fef9df33427641af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\db667255-c3eb-446d-a4aa-6392aa66c7d3.tmp
Filesize
5KB

MD5
c40e25b8a3dc904e1e365c477285b9b2

SHA1
c1319b6012427fe2041522d758f45350379a9f44

SHA256
d1bafd886289e243d1acef736849058d837acd22189dc50c2f45b53a1c4997c9

SHA512
18db1ff57ff99af45958f7a3b5ad7090aa665728a4d8dd09d1f4a30512252f81087d24a8a43268b5e19760ded160b03a16db07dd2bbbc85437bc808ce1821d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
267KB

MD5
f4ed2798e2adb163ebdc35a8bc625506

SHA1
58933d7a7a6b9b88a6c76ec43670a05a59630790

SHA256
030b252cee7e6c2aa4214f4162c167b7ede0be2aca00560dc87868aea3cd209c

SHA512
f20e3d8299ea082478f0517cae9e156bc8fe9354a206142c9ef69600c6be04e8ee961cdedd2741f2f9a6510da0ba338ba845029a4843b765ceba4311331086d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB73.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.bat
Filesize
57B

MD5
91bcce537d493b918abde30773f3aa97

SHA1
a2118f6df28225ed1a79be080b5b0a5fe9b4c9e3

SHA256
fd6e59d8722d42c30920b38e6395d68543375690695417282da8c1707b01347b

SHA512
aa217618edaaeacf544c446a8679c5ea8e44532bd05643b6ca94bd50d6491dd66959719e33f02c30908b05a582b0279125ea8681bf20b23b3b80751955d7893e

Download Submit
\??\pipe\crashpad_764_XTBQAYRGCFNLVLBJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1960-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1960-51-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2804-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2804-49-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-7-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2804-6-0x00000000005C0000-0x00000000005E6000-memory.dmp

Filesize
152KB

Download
memory/2804-5-0x0000000004870000-0x0000000004902000-memory.dmp

Filesize
584KB

Download
memory/2804-2-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-1-0x0000000000BF0000-0x0000000000D86000-memory.dmp

Filesize
1.6MB

Download