stormkitty | 4a91135e56bc3b6e549264e282777e09a503f3981c9e96de7bd0ab5b3c92d3ec

General

Target

Vape-Lite-main/Vape lite/Vape Lite/Vape Lite.exe
Size

1.1MB
MD5

76b71c959ebea10097b79dbf739952bb
SHA1

18eed993b7908a8624850231922a0e539bd36520
SHA256

93afa8b28fd4f3c04d0bcf0056cd16473f7eaed23e1ab483bfd4ad12f3080622
SHA512

a237c09189588ce218fdf66c45615a93337faeac51984eddd64a7a3f9bf9c0ec4dd9f3fded4d2188296ea82421249459a5df194a3da7616761169a9738b919ff
SSDEEP

24576:3dlNXaV9x4IUgs36BUI2So5+jnzFoCaGApu8:3r0T+Sk6BU7HIFo7G98

Score

10^/10

stormkitty persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000C80000-0x0000000000D9C000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org

flow	ioc
2	checkip.dyndns.org

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133657186413035009"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3144 chrome.exe
3144 chrome.exe
2928 chrome.exe
2928 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Vape Lite.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2424	Vape Lite.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe
Token: SeCreatePagefilePrivilege	3144	chrome.exe
Token: SeShutdownPrivilege	3144	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Vape Lite.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 2424 wrote to memory of 4976	2424	Vape Lite.exe	cmd.exe
PID 2424 wrote to memory of 4976	2424	Vape Lite.exe	cmd.exe
PID 4976 wrote to memory of 2124	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 2124	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 4076	4976	cmd.exe	netsh.exe
PID 4976 wrote to memory of 4076	4976	cmd.exe	netsh.exe
PID 4976 wrote to memory of 4940	4976	cmd.exe	findstr.exe
PID 4976 wrote to memory of 4940	4976	cmd.exe	findstr.exe
PID 2424 wrote to memory of 2292	2424	Vape Lite.exe	cmd.exe
PID 2424 wrote to memory of 2292	2424	Vape Lite.exe	cmd.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	chcp.com
PID 2292 wrote to memory of 2624	2292	cmd.exe	chcp.com
PID 2292 wrote to memory of 4296	2292	cmd.exe	netsh.exe
PID 2292 wrote to memory of 4296	2292	cmd.exe	netsh.exe
PID 2292 wrote to memory of 2184	2292	cmd.exe	findstr.exe
PID 2292 wrote to memory of 2184	2292	cmd.exe	findstr.exe
PID 3144 wrote to memory of 3092	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 3092	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4472	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 2468	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 2468	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe
PID 3144 wrote to memory of 4288	3144	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Vape-Lite-main\Vape lite\Vape Lite\Vape Lite.exe
"C:\Users\Admin\AppData\Local\Temp\Vape-Lite-main\Vape lite\Vape Lite\Vape Lite.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2124

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4076

C:\Windows\system32\findstr.exe
findstr All
3⤵
PID:4940

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2624

C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4296

C:\Windows\system32\findstr.exe
findstr Key
3⤵
PID:2184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8fad3ab58,0x7ff8fad3ab68,0x7ff8fad3ab78
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:2
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:8
2⤵
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:8
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:8
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff735dfae48,0x7ff735dfae58,0x7ff735dfae68
3⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4952 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4132 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4784 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4260 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4272 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5032 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3268 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3212 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3196 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4760 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3984 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5172 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=1696 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1496 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=2236 --field-trial-handle=1680,i,17340236897796720212,15135994846556215685,131072 /prefetch:1
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ef1ec260a42caf391b6b83bd2fb70edd

SHA1
2fb889480077490102da11bc239cfc7780caed6e

SHA256
5aee0822de9b2082198a82a9ef5a234d3835baf6b00ce82d03d99a916681932e

SHA512
7d7867890a0bf7094fca55752d313dadd7221038d9a1b50cbed97ad749d87691d69db1ef7af001ec5fe99d54007b5b472b6237f7201d147d9ac81de20da5ab81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ffda6de3b6ac33f3eae6aa7f8a25bbfd

SHA1
262523ac1cd0b6047d4f4602a9e5d2082cad01bd

SHA256
faf2d508bc347478e46829c954f0da660c999214d2d00913c7392f4eb2e25b85

SHA512
dce2c9a959af457940de046341577884962caf643759ab2e5a0d15b4dd91cb8649da003aec5242685bbbf338ff484114fedce8ea6518ec70be5bc4f6eecc34e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
957b147751a39672de2a4b94585936bb

SHA1
85fd94ddc255a2db8a50fb91623bad62eac167cc

SHA256
32b6c5c34f0162f472727963ee507b435de6303b8e706ce3aafad41cf38bcc42

SHA512
4b3af72410112664a640a7321ca1da8c87188546f50973e789d553f209d444119bc1c4989b119502656628f376e9b51a2dad48bfea1d2dd58743f807b1a71224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
43a0054a79fb246c1ac5944d7463c2e0

SHA1
69df5ef1e08173dbf663ea19af19cf3f29501489

SHA256
9d532f50b5dfeb9797e11910366c3bb949e02ee0a45148826062d43ae01a1f03

SHA512
84ea2eb0d2a018a1ecae319c5f591fae3963da4574af7dfce6b71241575b3ba0ff8fd9fc0b8a2b56b0e59d0621bf3937230365b83bcd38d32883072e91263b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
0f2215d9f43bec376e05ca155573cbe2

SHA1
95e43d54a5a674fa7623ac744d34ad83dfc5f1c9

SHA256
fc342bb35e6f00b807b4dae4d0cd7023848b8b98fdd64324a4cc73b344c1b493

SHA512
e19f130332afbe13873e2d67e0b8a9beab76b43dbcd81ab55262f3fa4d9ecc3500fb3b9d11ee0c2cfac774129e3a63447c810c7e6bcbab79dddc757d22508c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt
Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
\??\pipe\crashpad_3144_QMKRRBFAODZLWQIR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2424-2-0x0000000002E30000-0x0000000002E3A000-memory.dmp

Filesize
40KB

Download
memory/2424-29-0x00007FF8FA1D0000-0x00007FF8FAC91000-memory.dmp

Filesize
10.8MB

Download
memory/2424-27-0x000000001DEA0000-0x000000001DEDC000-memory.dmp

Filesize
240KB

Download
memory/2424-26-0x000000001D150000-0x000000001D162000-memory.dmp

Filesize
72KB

Download
memory/2424-0-0x00007FF8FA1D3000-0x00007FF8FA1D5000-memory.dmp

Filesize
8KB

Download
memory/2424-4-0x00007FF8FA1D0000-0x00007FF8FAC91000-memory.dmp

Filesize
10.8MB

Download
memory/2424-3-0x000000001BF60000-0x000000001BF7A000-memory.dmp

Filesize
104KB

Download
memory/2424-1-0x0000000000C80000-0x0000000000D9C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads