stealerium | 116d51aa097e582fcddc683dba38a8d58379d842d86749759a39b8787a816da0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBDeviceDriver.exe
Size

1.6MB
MD5

6c573478bb39b6c75c4b5638a56220b7
SHA1

26a519cf4cf34aeaccd8084e8f41ecad695216d3
SHA256

116d51aa097e582fcddc683dba38a8d58379d842d86749759a39b8787a816da0
SHA512

2b36dd9f9f3af2a6d2eea7c5dcb872e06b095349fc133a77ff427267ead0b3f454b4aebd83b44b4fa3dea771c9ed5f2b3875d29dcb04a192017549431419db94
SSDEEP

49152:RcfTq24GjdGSiqkqXfd+/9AqYanieKdQ7:RcOEjdGSiqkqXf0FLYW

Score

10^/10

stealerium collection credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1280955822868008990/uc6CjchX7Q8HfidEPNcoXcUpOOaF9I7SdZrxVEPNz0GcWiC3unwZgAsmKbHqyhYW590_

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	icanhazip.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
600	2372	WerFault.exe	30
1248	2828	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBDeviceDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBDeviceDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2832	netsh.exe
1320	cmd.exe
2800	netsh.exe
2784	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	USBDeviceDriver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	USBDeviceDriver.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	USBDeviceDriver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	USBDeviceDriver.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	USBDeviceDriver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	USBDeviceDriver.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2372	USBDeviceDriver.exe
2372	USBDeviceDriver.exe
2372	USBDeviceDriver.exe
2372	USBDeviceDriver.exe
2372	USBDeviceDriver.exe
2372	USBDeviceDriver.exe
2828	USBDeviceDriver.exe
2828	USBDeviceDriver.exe
2828	USBDeviceDriver.exe
2828	USBDeviceDriver.exe
2828	USBDeviceDriver.exe
2828	USBDeviceDriver.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	USBDeviceDriver.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeSecurityPrivilege	1856	msiexec.exe
Token: SeDebugPrivilege	2828	USBDeviceDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1320	2372	USBDeviceDriver.exe	32
PID 2372 wrote to memory of 1320	2372	USBDeviceDriver.exe	32
PID 2372 wrote to memory of 1320	2372	USBDeviceDriver.exe	32
PID 2372 wrote to memory of 1320	2372	USBDeviceDriver.exe	32
PID 1320 wrote to memory of 1812	1320	cmd.exe	34
PID 1320 wrote to memory of 1812	1320	cmd.exe	34
PID 1320 wrote to memory of 1812	1320	cmd.exe	34
PID 1320 wrote to memory of 1812	1320	cmd.exe	34
PID 1320 wrote to memory of 2800	1320	cmd.exe	35
PID 1320 wrote to memory of 2800	1320	cmd.exe	35
PID 1320 wrote to memory of 2800	1320	cmd.exe	35
PID 1320 wrote to memory of 2800	1320	cmd.exe	35
PID 1320 wrote to memory of 1396	1320	cmd.exe	36
PID 1320 wrote to memory of 1396	1320	cmd.exe	36
PID 1320 wrote to memory of 1396	1320	cmd.exe	36
PID 1320 wrote to memory of 1396	1320	cmd.exe	36
PID 2372 wrote to memory of 3048	2372	USBDeviceDriver.exe	37
PID 2372 wrote to memory of 3048	2372	USBDeviceDriver.exe	37
PID 2372 wrote to memory of 3048	2372	USBDeviceDriver.exe	37
PID 2372 wrote to memory of 3048	2372	USBDeviceDriver.exe	37
PID 3048 wrote to memory of 448	3048	cmd.exe	39
PID 3048 wrote to memory of 448	3048	cmd.exe	39
PID 3048 wrote to memory of 448	3048	cmd.exe	39
PID 3048 wrote to memory of 448	3048	cmd.exe	39
PID 3048 wrote to memory of 288	3048	cmd.exe	40
PID 3048 wrote to memory of 288	3048	cmd.exe	40
PID 3048 wrote to memory of 288	3048	cmd.exe	40
PID 3048 wrote to memory of 288	3048	cmd.exe	40
PID 2372 wrote to memory of 600	2372	USBDeviceDriver.exe	42
PID 2372 wrote to memory of 600	2372	USBDeviceDriver.exe	42
PID 2372 wrote to memory of 600	2372	USBDeviceDriver.exe	42
PID 2372 wrote to memory of 600	2372	USBDeviceDriver.exe	42
PID 2828 wrote to memory of 2784	2828	USBDeviceDriver.exe	47
PID 2828 wrote to memory of 2784	2828	USBDeviceDriver.exe	47
PID 2828 wrote to memory of 2784	2828	USBDeviceDriver.exe	47
PID 2828 wrote to memory of 2784	2828	USBDeviceDriver.exe	47
PID 2784 wrote to memory of 2568	2784	cmd.exe	49
PID 2784 wrote to memory of 2568	2784	cmd.exe	49
PID 2784 wrote to memory of 2568	2784	cmd.exe	49
PID 2784 wrote to memory of 2568	2784	cmd.exe	49
PID 2784 wrote to memory of 2832	2784	cmd.exe	50
PID 2784 wrote to memory of 2832	2784	cmd.exe	50
PID 2784 wrote to memory of 2832	2784	cmd.exe	50
PID 2784 wrote to memory of 2832	2784	cmd.exe	50
PID 2784 wrote to memory of 2596	2784	cmd.exe	51
PID 2784 wrote to memory of 2596	2784	cmd.exe	51
PID 2784 wrote to memory of 2596	2784	cmd.exe	51
PID 2784 wrote to memory of 2596	2784	cmd.exe	51
PID 2828 wrote to memory of 2088	2828	USBDeviceDriver.exe	52
PID 2828 wrote to memory of 2088	2828	USBDeviceDriver.exe	52
PID 2828 wrote to memory of 2088	2828	USBDeviceDriver.exe	52
PID 2828 wrote to memory of 2088	2828	USBDeviceDriver.exe	52
PID 2088 wrote to memory of 856	2088	cmd.exe	54
PID 2088 wrote to memory of 856	2088	cmd.exe	54
PID 2088 wrote to memory of 856	2088	cmd.exe	54
PID 2088 wrote to memory of 856	2088	cmd.exe	54
PID 2088 wrote to memory of 2852	2088	cmd.exe	55
PID 2088 wrote to memory of 2852	2088	cmd.exe	55
PID 2088 wrote to memory of 2852	2088	cmd.exe	55
PID 2088 wrote to memory of 2852	2088	cmd.exe	55
PID 2828 wrote to memory of 1248	2828	USBDeviceDriver.exe	56
PID 2828 wrote to memory of 1248	2828	USBDeviceDriver.exe	56
PID 2828 wrote to memory of 1248	2828	USBDeviceDriver.exe	56
PID 2828 wrote to memory of 1248	2828	USBDeviceDriver.exe	56

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	USBDeviceDriver.exe

C:\Users\Admin\AppData\Local\Temp\USBDeviceDriver.exe
"C:\Users\Admin\AppData\Local\Temp\USBDeviceDriver.exe"
1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2800
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2432
  2⤵
  - Program crash
  PID:600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\USBDeviceDriver.exe
"C:\Users\Admin\AppData\Local\Temp\USBDeviceDriver.exe"
1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2832
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2468
  2⤵
  - Program crash
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US.zip

Filesize
71KB

MD5
d1de1690f08bdc44900c5d9ac8ef0c11

SHA1
8d9eb5f2c9e4b8eede630d55ca444a7ee5c733ba

SHA256
367cee7f373097bf5e03d678bea423f1376339a16a534bee5d1b41679a99f938

SHA512
a9fad78f02b212123ca2e4e9f64fc20e2844fe632250108eb122ce8c040562389d7a1ca1ac543c8540fcf5a7fd1d3750df3459bd9aa130ddec7356189a36eb18

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Desktop.txt

Filesize
494B

MD5
e5b3cf8be46a73fa9c1103fafc3ead6c

SHA1
524378034fb3ac177e171d5982c9883a7b7bb0cc

SHA256
ce36819af5d7808a7fc828af2549c3eee0768e9e7ced9f973ef1178abeab1c4f

SHA512
62d19bae731179d3c7f94a80b53c581be5fe4af0435b509708537dcf32a8c700f8d1ff3d03472fc87a5381f664ca6f473b23f61334f07c95c7560086a2c22641

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Documents.txt

Filesize
650B

MD5
d601e31118f117f3de4fa34546c16418

SHA1
af05a16d7c87e0e7d83de5b33bc13c57b0ca5377

SHA256
0a5fd332648f4735d6e6c3f1a74fba5bbaa49aa0d1ac0f613a029be2f199ee5f

SHA512
8d4f349c1edfe04ba2268b879b49583b6490ca8413639686546be2724be2af9a54bb8fb40eccb7f2f729784c17cddf0666a32c2635232635da2019e73b328e87

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Downloads.txt

Filesize
602B

MD5
ba073cb690cd395da2de62094ba650a4

SHA1
cf5979144e7836d2aa843deed756e63125dbd8e3

SHA256
77753fe2a390915483c81127508564cd13e72f66df3f811e0be204ae815145ee

SHA512
9bf3e109a432015ba5db2750003621ce88b2212cf01b891956fe824d383fe70ed7f514b3ac416df027d97e7dc8a3a9baca59f206e325fef92abe2c55193dc423

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Pictures.txt

Filesize
567B

MD5
301a884ca1448368dacf380cf6c4fe61

SHA1
1c0d2d65b74c6c913cc83b41b1d452518cd50be1

SHA256
85a41473d3952dcdecb1cb79fcce972d94a24dc6157edfdbe505e277808560c9

SHA512
de9cdbc22f9e1e86a98389f8fe47731414961cb111c7ff1bb171f987091035c4bc8dd81d8e4aee6eb5aed51e7f400df78edb349a2d6348fbcc6b10212c0a4d66

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\System\Apps.txt

Filesize
6KB

MD5
ef796234202e56b26a8a5bb698eb4f49

SHA1
fb5c3dca20c1ee961630192d8bb0033591578119

SHA256
dca103a937a59150034fbfa404eb76e0dc0b95097dcd9f57be2aab5fdcf9a5bd

SHA512
9fd893184a8c60af98c91a4a0bb65ce827c588b86211cd873c240c058d399859153ef84a97b936ffd232b3cb658404983d70418a1f3c8424ad78baca7f687f29

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\System\Desktop.jpg

Filesize
136KB

MD5
b2ec2262bccce0b06c7e3755d081afb6

SHA1
7edaf21848d8dfa2a90be4bd70bcad7dca19fa4e

SHA256
c0a240c939b05abf7cf56a6e2c206de806d4fe46beb93bb7dfdcfc290600d833

SHA512
4204ee5b8800bdecfb17066474bb64e53140b831baa4a4b47e82e9019410193bd6d08aec3f87f221d40aba4045a3948719ac6d1d4c61315c5de1546836f76cf8

Download Submit
C:\Users\Admin\AppData\Local\2b67ad9a961d426107839f87f355006d\Admin@JSMURNPT_en-US\System\ProductKey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEACE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAE1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp783C.tmp.dat

Filesize
5.0MB

MD5
35b6001877e838f67efae4cfc185ec61

SHA1
e284cf065d8fe9de6307d9c5c0305e8101ba7dd5

SHA256
3713eb7e64c60aa293773611519b14e63b8d1f90355b262516697e8bf6b8b80b

SHA512
55b5f734048c622ea4547232d459fa4f3e33a122a437da55f9fa5b946f6d4cfe4dd2beb7f5826af2b968cac4dc7e24b5d7d22bc33b10efe90d5da7d547416edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp784C.tmp.dat

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp784E.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
memory/2372-41-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/2372-40-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2372-42-0x0000000002220000-0x000000000223E000-memory.dmp

Filesize
120KB

Download
memory/2372-214-0x00000000066D0000-0x0000000006782000-memory.dmp

Filesize
712KB

Download
memory/2372-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000900000-0x0000000000A92000-memory.dmp

Filesize
1.6MB

Download
memory/2372-112-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-215-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-155-0x0000000006A60000-0x0000000006ADA000-memory.dmp

Filesize
488KB

Download
memory/2372-156-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-5-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2372-4-0x00000000008B0000-0x00000000008D6000-memory.dmp

Filesize
152KB

Download
memory/2372-3-0x0000000000760000-0x00000000007F2000-memory.dmp

Filesize
584KB

Download
memory/2828-217-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2828-216-0x00000000013B0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download