stealerium | 5a7f0ae453a4302dc288e00b6392923906ead1f181d338ab1c02a4a78f78593b

Analysis

max time kernel
149s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
26-05-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

1.6MB
MD5

5c51643f4c3ca737d3162d82840761c7
SHA1

dede91d3e74af7b5f67a65c0fffc2fc8ca349b32
SHA256

5a7f0ae453a4302dc288e00b6392923906ead1f181d338ab1c02a4a78f78593b
SHA512

8215fb4221a725918e6eb89cb7e755c185eff496e4b0d3116898411ac73841fffaed4ebfb1d1de512b61e676950b5ceec115f1533622a40ed1a51abf2ecb6468
SSDEEP

49152:ULTq24GjdGSiqkqXfd+/9AqYanieKdQc:UiEjdGSiqkqXf0FLYW

Score

10^/10

stealerium collection spyware stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1244281935228965048/sJAD8BhTylLJViwx58UHGY7unbr6jQqQZSC4HrgK1L_fWJYHE1waujg1JuSnxcq9zxf6

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
12 discord.com
59 raw.githubusercontent.com
1 discord.com
2 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com

flow	ioc
3	raw.githubusercontent.com
12	discord.com
59	raw.githubusercontent.com
1	discord.com
2	discord.com

flow	ioc
3	icanhazip.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612151166294074"	chrome.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

build.exe

pid	process
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe
228	build.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4316 chrome.exe
4316 chrome.exe
4316 chrome.exe
4316 chrome.exe
4316 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

build.exemsiexec.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	228	build.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	process
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

chrome.exe

pid	process
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exebuild.exe

pid process

3376 OpenWith.exe
228 build.exe

pid	process
3376	OpenWith.exe
228	build.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

build.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 228 wrote to memory of 4076	228	build.exe	cmd.exe
PID 228 wrote to memory of 4076	228	build.exe	cmd.exe
PID 228 wrote to memory of 4076	228	build.exe	cmd.exe
PID 4076 wrote to memory of 2144	4076	cmd.exe	chcp.com
PID 4076 wrote to memory of 2144	4076	cmd.exe	chcp.com
PID 4076 wrote to memory of 2144	4076	cmd.exe	chcp.com
PID 4076 wrote to memory of 4500	4076	cmd.exe	netsh.exe
PID 4076 wrote to memory of 4500	4076	cmd.exe	netsh.exe
PID 4076 wrote to memory of 4500	4076	cmd.exe	netsh.exe
PID 4076 wrote to memory of 2860	4076	cmd.exe	findstr.exe
PID 4076 wrote to memory of 2860	4076	cmd.exe	findstr.exe
PID 4076 wrote to memory of 2860	4076	cmd.exe	findstr.exe
PID 228 wrote to memory of 3332	228	build.exe	cmd.exe
PID 228 wrote to memory of 3332	228	build.exe	cmd.exe
PID 228 wrote to memory of 3332	228	build.exe	cmd.exe
PID 3332 wrote to memory of 3108	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 3108	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 3108	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 868	3332	cmd.exe	netsh.exe
PID 3332 wrote to memory of 868	3332	cmd.exe	netsh.exe
PID 3332 wrote to memory of 868	3332	cmd.exe	netsh.exe
PID 4316 wrote to memory of 1264	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 1264	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 768	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4688	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4688	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe
PID 4316 wrote to memory of 4944	4316	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2144

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:4500

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3108

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe24d7ab58,0x7ffe24d7ab68,0x7ffe24d7ab78
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:2
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4508 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:1
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1780,i,8323451141105421934,15666659213602769311,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\OneDrive.txt
Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\Startup.txt
Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\Directories\Videos.txt
Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Apps.txt
Filesize
4KB

MD5
7610c1e8507a2036dcbddd2661e0da78

SHA1
3457906b1bbf44870fe6ac51165dfb5ccdeefd72

SHA256
9316d47815132a221562d03c2cb6167a6a6e300aaa4db73bd07439d939a4e76f

SHA512
1577208c24925dce0d633ed3dd7c851888f45f2cdc23bf219e400c391b59302a5f535c0f6acf8bcdbb9495d6af20f1de2e9a9f8bfbb11a11e4e8e4744cce845f

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Debug.txt
Filesize
1KB

MD5
fd79cc2e56698e01eed0b5755a791bec

SHA1
9f6fe0fadb9dfde83d02fbb2c450679e59dc6e1f

SHA256
0bef87789ec3d1800a457b2cc07e7adc0b5f65af34f6409daf3f2f8bb6a9fced

SHA512
695a8abffaa1369cbe2fe025f553cba7ffd8c50606964ef2dbf16421c09c01e90921df5de4292c9e1707cae544eb96eb8231ad3f424162a6ca66d7016bcd3245

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\Process.txt
Filesize
4KB

MD5
333357bc353bc37c73433d789d3e7ead

SHA1
d0a4942d6d35e64e93b8c60cf05adf20831b40aa

SHA256
f927f5c25c3865c360e039fd966460fabea598d1c0b01fd5c15944a2a7a8c7a8

SHA512
e143914d861ede9c5f441497f42db8ce772b6935f66eb6e99feae638d59725f127de7d0b6859891055cbcdb3923040cecb21e4d5707cdcf6ca0dcaa8e1328567

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\Admin@UARODAWW_en-US\System\ProductKey.txt
Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\6f7efe2142da6968d8c25754e8fa661c\msgid.dat
Filesize
19B

MD5
2430c2abc611d2a06d5e21d22f771e14

SHA1
3d52c8fc87f37e96d3d657694bb0c4008cb3941a

SHA256
88302c71db1a8263001846afa1fef08d5a735f61e9667d584d467c7e9c2d98e7

SHA512
d6b2655dabfa424b9a04c23c32139ecbd00410ba4366c3e18723ac9ad55842ef97af38fd44b429c5575d8b9ab22892e2f68707c06cb7d39153481d67041c98c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020
Filesize
24KB

MD5
b425a3c0c715d4ba7c6bf4cec5df69a5

SHA1
c3bdd73bbb0ad57b910718a10fa2ceac8ddb778c

SHA256
78027f1f209368cbf00394cb383caf948bbf1c642ab94934cd0a9ad266530e6f

SHA512
125f0eb751c62ae74682f03ebb3e83f5ee93f5c22b2b94a4e3d558cc3da04ca7e2f0f0b9c788c9b9abc32b823c849919b74d9f13662a920d8cf0906a661e676f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
1e59260eae2f0479fda62cd71eeaf5cf

SHA1
1a9c0d2218c73a8f9ea79f6f32c8b439ed455f24

SHA256
53128308b8e6c829d1cd24e36b1f6095df04b2190066e0279044f54da81d5c57

SHA512
d1216b0250f1b399f0500cdfd797b22bb6549780e845e5fbefa4ebfa0de3d4c96485f6a7aab773ee0577c86debce49042e32bc42fb6bc1d001283154509fc009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e88fea60474b90bd9bf744bb4788576f

SHA1
8ca7d421624d0f40438222cb803e3186cdd301e3

SHA256
3c801bcdf60934c3abf28f5513225ef907b46a8795ab606e8474c5c2a3bbffa5

SHA512
06672a30dfcfa397e922a8046a4a4b2f833a9ce1387bbb388a5b3c34c1f4832825fde56588a16e4dda3e7850668a5ee3df42db00cd94ec827bcd79c6f21bc21a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
34cc079eb682c0b874ccdf12ba67b936

SHA1
f6ec310ea728bd65155b17459d69ee18579f80ac

SHA256
306d8e8a439d8223e50d4aa334edcacb31062213c9b4d4f8b27219eb39e1d6c7

SHA512
819cd6e3e21cced9a660114baadf9e69b3d546efd22649f1bec5471786fa5ef3b1394549e25cf69da82c640ee39a526527f2a17352495fca3c1007fb3c79481e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
aa3852ffd17a8a943c006da143de35ec

SHA1
b3533b107a591a4ea7c234128dad85ef682d7ae1

SHA256
ccadacb6a8d5e37a4babdc331a75080219ad7bb0dc0c2c3287467d45fd412c74

SHA512
31f71787ccd64f6a9784e7f14344eb06e80fac2b2ee07800d6f17497660702bde331d0d66309e28fcb4857732dd48515ea88607e84bf7a8ec39f1d37a9a3fb9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
593205f8f80623489da6a762a053674f

SHA1
418b142e07f9e0a7b323b43daeed70d43093eef2

SHA256
000523ee9b63a583b2dac2b06e5780f6b4c7c8fb9216f887258cc0d687884190

SHA512
6b164c9e6b07e108afd02f1a92827edc182891351f5a3a558bfc9e6887882fde5fb67314debf1bd24a2cc8dd8131e4e62e73ff81211f79c013b2537e83af0608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
baef4248960eea4eb2299a89acbb8a88

SHA1
dbc92ced88adbab38f94985937263da8581b6efb

SHA256
d24049bae86276ac97ad109ad7aec239898e6c902b0608767290115c171bf827

SHA512
f9fd4ea50d58cdca35ae1d699155e4fb336676f6cc646eba7fb73fcbf4d1662e9f8777aee606b5d883aff92c67546605991f399298f1d195f91f647611bf7c0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
79e684396b380aad8f68fb4211c00872

SHA1
d330f188534118027590a7860d2268210b27b61d

SHA256
388a2097c0bc5a559e6cfebbe89119b3d9a4133ca744097a3b7ae77c3d737e01

SHA512
f970a92be644f1e3aa59df89355fcbafad46d796548ba13a3ca5ecc804e5e4d49928d940614c6cb1fc65e380b199b97cf32bb7314c4367b031f50752d18eb5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
a591541b2f6f1ec764b1360a44661fd5

SHA1
deb6232b13a51f4ee468f791c1591671c290abe0

SHA256
3e4faa06b198c868c0bf5bbb3e60a24f4a588b8b60f56df3041ba205bda58227

SHA512
bc9790dbb54a9472ff7023577a97ed2f4f6454a4f432bdd64411d31223b2908b7e54b68377f7de2705d45ca3e38be8981c3314f1d0afe007745b77dae957c7ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f3eb473ba200292ab62a3ca47c41b5a3

SHA1
2ea2e43d8882740acfe8dfec03016e433b75cf2c

SHA256
586cca30492179e345fe31ac23ac6cf6a8895d4a13a608827cee0a549827ffaf

SHA512
36881705921c2729c4aafe0b1bed769e265bcd22f335d9679b7c844fef564da10d2bd488d62d87749809f8aedede4ac4b7b8e2c008a4aea487987c0872b75d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
bd8af046d15fe8d448a4577b26490012

SHA1
327ae57c473278cfa5ec22cbda514fef80e4d146

SHA256
860fe09d8353f023b307af9f09f09ada9dd28996bbff93f12e16ad3bd2e3290b

SHA512
31912a8b0c78a94933f40b057e8b510b4bcd4bf62d3245d61c801e5eb533f2e3a5aeaf95a7961cd653403eefefa360f53313d7a5a4f26f8040b3e25bfb5a437d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d0af60b0ab82d8aa172c1e1a59f475ac

SHA1
5809bdbaac7e48ad5e6c90ad9ee91810b0df06db

SHA256
b97a0a6002e8bfe0d5cbf126f2f084f0657784b5281eb18092763aceff72a80f

SHA512
db45da05246eb24691de22290d6d13fb9d8655155bebfcc91ab352a552fe30fe94d22396accb81fe1738d89b676a54166098d4ce868fa0956d73db7e172fae2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
8d7f0585675679686b3aaa7780b12f03

SHA1
67e907f0aecd9816f23281dd0a94196da176768b

SHA256
ea1fe64c07c7f84eb247aea86e7736ba2015a716bb66716472c24e1d2e379cf1

SHA512
a048b6f31e2b8b2afe1b028b5e4b5b22700a733266ec9a7e25c22a80aebc219f685ab6091de4933e27a6ec7690bb70da4eb69a55531ce5221abe8ade6ab5e171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
504ccc158e2cd8ffe2d72313fec21723

SHA1
d112583fcd28d8ab7870b78e45681b0308698779

SHA256
0dc5ab7d2c7a8a8d8cbd9a5e6c49290467229b28e7e11871af01aee5b54efa48

SHA512
ff22ee17bf6144e041ee37678f51f0a4397cbfcc022ae2e906361263de3b8daffc84478de78842109012513aec494f77cd1651a24ab877198f21fb5e036ad158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590267.TMP
Filesize
83KB

MD5
b4966cc8ee9ccfa1afe00f76bf78e709

SHA1
b585312d84f5487082eb817042eef53943f7f2ba

SHA256
00847ce14e4ae365bfb9260fd8793fb05bfa9fece41573190ae1027009e1bed0

SHA512
1ce687f90c633ac9574b19d64867f07da695b08d652dc16cbc333d670af08e7d84ec4e6cf842e4ad67bc17ccc371da5503d55957f7d3fa83c31c9480ffb3be1d

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip
Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_4316_IQIGRNJVCDFOBLVK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-69-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/228-281-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/228-280-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/228-279-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/228-267-0x0000000008E50000-0x00000000091A7000-memory.dmp

Filesize
3.3MB

Download
memory/228-266-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/228-264-0x0000000006EE0000-0x0000000006F92000-memory.dmp

Filesize
712KB

Download
memory/228-195-0x0000000006870000-0x00000000068EA000-memory.dmp

Filesize
488KB

Download
memory/228-75-0x0000000007410000-0x00000000079B6000-memory.dmp

Filesize
5.6MB

Download
memory/228-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/228-12-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/228-11-0x00000000065F0000-0x00000000065F8000-memory.dmp

Filesize
32KB

Download
memory/228-10-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/228-9-0x00000000056C0000-0x00000000056C8000-memory.dmp

Filesize
32KB

Download
memory/228-8-0x0000000005690000-0x00000000056B6000-memory.dmp

Filesize
152KB

Download
memory/228-7-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/228-3-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/228-2-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/228-1-0x0000000000490000-0x0000000000622000-memory.dmp

Filesize
1.6MB

Download