Analysis
-
max time kernel
1200s -
max time network
1174s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-10-2024 05:43
Behavioral task
behavioral1
Sample
Find Wallet v3.2-Crack.exe
Resource
win10-20240404-en
General
-
Target
Find Wallet v3.2-Crack.exe
-
Size
3.5MB
-
MD5
68f929dc1286bf7af65bf056845f9b42
-
SHA1
1f1d9848811b3c00066f8be86035fda994ceedfd
-
SHA256
0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
-
SHA512
d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
-
SSDEEP
24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001ab1c-6.dat family_stormkitty behavioral1/memory/3876-16-0x0000000000A70000-0x0000000000AC6000-memory.dmp family_stormkitty -
Executes dropped EXE 2 IoCs
pid Process 3876 Client.exe 2728 Find Wallet v3.2-Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\Saved Pictures\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\Camera Roll\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Desktop\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Documents\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Downloads\desktop.ini Client.exe File created C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\desktop.ini Client.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.ipify.org 21 ip-api.com 1 freegeoip.app 5 freegeoip.app 19 api.ipify.org -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Find Wallet v3.2-Crack.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133743093749449966" chrome.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 3876 Client.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 2752 chrome.exe 2752 chrome.exe 2304 chrome.exe 2304 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3876 Client.exe Token: SeDebugPrivilege 4912 taskmgr.exe Token: SeSystemProfilePrivilege 4912 taskmgr.exe Token: SeCreateGlobalPrivilege 4912 taskmgr.exe Token: 33 4912 taskmgr.exe Token: SeIncBasePriorityPrivilege 4912 taskmgr.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe Token: SeShutdownPrivilege 2752 chrome.exe Token: SeCreatePagefilePrivilege 2752 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe -
Suspicious use of SendNotifyMessage 63 IoCs
pid Process 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 4912 taskmgr.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe 2752 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3876 2752 Find Wallet v3.2-Crack.exe 73 PID 2752 wrote to memory of 3876 2752 Find Wallet v3.2-Crack.exe 73 PID 2752 wrote to memory of 3876 2752 Find Wallet v3.2-Crack.exe 73 PID 2752 wrote to memory of 2728 2752 Find Wallet v3.2-Crack.exe 74 PID 2752 wrote to memory of 2728 2752 Find Wallet v3.2-Crack.exe 74 PID 2752 wrote to memory of 2728 2752 Find Wallet v3.2-Crack.exe 74 PID 2728 wrote to memory of 2752 2728 Find Wallet v3.2-Crack.exe 77 PID 2728 wrote to memory of 2752 2728 Find Wallet v3.2-Crack.exe 77 PID 2752 wrote to memory of 4568 2752 chrome.exe 78 PID 2752 wrote to memory of 4568 2752 chrome.exe 78 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3344 2752 chrome.exe 80 PID 2752 wrote to memory of 3884 2752 chrome.exe 81 PID 2752 wrote to memory of 3884 2752 chrome.exe 81 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 PID 2752 wrote to memory of 4496 2752 chrome.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3876
-
-
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://t.me/myfindwallet3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe2289758,0x7fffe2289768,0x7fffe22897784⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:24⤵PID:3344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:84⤵PID:3884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:84⤵PID:4496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:14⤵PID:1468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:14⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:14⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:84⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:84⤵PID:4104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:84⤵PID:4132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2612 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD5942a4b9a3eda55bf96aff5c92952e16d
SHA1cbb8a40892ab6d35efad1098b7f1b02383e9c0e3
SHA256169c07c88e7e06a3ff0269ad4489f0b81a404642cde521f8e8ef361fcf7f99f3
SHA512a45b9f5dada2d10a41101d3282fa9b16a7c3cad92bebc318c779485c6672422429ae1d53b6e02be520d725542e92faafc66edff77d028aa6424ea7eec6bbf97b
-
Filesize
931B
MD54d5c3af6abf83de5a9b55e063fdb6d34
SHA191d5242fba7a7e3040c8654c2defc88dcfed46ad
SHA25688704c50f106579d76aabb5279d72e83b93fa8713908750de2dfb659c79cc4e7
SHA5121dfa5953cfd043dcefaa5074794ad3aa5cc7bf0d53d0878c1cce0b7b9aa1888e76efd04e1823d288cf452320a3221491c7616b841018624165070729aae5d152
-
Filesize
371B
MD53ddab5c2fef2db311468ac4751b59dbf
SHA173cd1e7a433a0cd2a466c96935122df218402045
SHA256f58e89737a2a3ec69d686566a8b07c6a949761629c77fa205594ca0874bec641
SHA512b62910e1f01640b51051d926aee6e962b35fa218c7762a2bd7abbed66eb5c932238f499d5d7592b8f2e1f43c818f5d3552c2f3bf57f62d52ba72630a278c5fed
-
Filesize
6KB
MD5977ae53463d93737eda15ae6849b3070
SHA17e7d4515cbc2aa7293114c5c30ce6361bf1630af
SHA256279b3816837e192bbe2f33b215e1aef59fda8aa050308eba81bebd0308367f0a
SHA5126e2aa75a546ac61649933d3e0fff81752d328829ecd5f7d03e899509a3be2dc0da18d6e21f09fb7d4a18767322a2690251e53ba499d98457e9af68c927d26b0f
-
Filesize
5KB
MD593662808940bd3685328eb73b53a59fa
SHA120b240eb7335490cc21188331caae2efde04f284
SHA256b03552f5f4d1f5be553f04e3a8af8560e602fbb985eeec01ade4bc43dc7a30fc
SHA5124c081a07de446256b7bda5f9a016434fa51b488330ae6cbab84ab7d88128f02b601e458ea8507290e6ad7d19c928cd00207eade2e8f698ae34db76fc83ac3cef
-
Filesize
6KB
MD5ab1d1e4d742d591b7a1a60b50aba6c6b
SHA1d17e68fdb9f58f3a568f4ad9b14f48772d861bf5
SHA2568ba098ffcf05e04cf43615b0816ee65709823436cabda0b1cd87ace1e6a39d3e
SHA5120579783f42fcde6743e8d4776528d4091570489e53e6d18cda0369172f927c08ccf34d0da04e7d3b2ae3c012b0728531d4ffee0b0417fd84ab300db0e3ea3263
-
Filesize
6KB
MD5400020b802eb525386c58b465418c7d2
SHA198d2ce7c7ae86b7201ad8e2ce1c3d0abcb409459
SHA256199154b31382605a9d3d296f6a554e20ee54d9cfc3ba54da94e2180c3c27ccff
SHA5126a1d8958dfaf766dadb1969c92e4af83cbd96df367f78c70b026498d7cfa737eb65bdd54908d6994fad2d0f66c0511c94aaf9b26679d5c633db6ee149f9a16f3
-
Filesize
12KB
MD5fd4a5d23a048e5f9b9f526edc2456411
SHA1e67dfadb3d26b971a05b7a073561cc3a8077274e
SHA25609e4b1f1037deb6a53e5c3bb5031e68cacf53ce7837c3764e808a829472b1fa1
SHA512cfdf8010e0dfe00ad6a79fcf133ca8f467e76f7c28b643405d83caab9536791614c5a5b43d31a9eabfd0a67f48a6135cc00e653f1cc9fb38620f99e93b61d1ba
-
Filesize
312KB
MD5cab11fc9e7fdb2dc1af54b3fc19160f3
SHA131fdf88c5aef297fbbe3e67d535bcaa5d090b28d
SHA25626ee36aeeb9173fa6dffb1dc1903a17c45f69ba88f64feebfaebba45a3a9f7e6
SHA512bf409ad5b6ca89c605b5ad44c4a5a2e17523207d12214d6f066a494189e2b2db544adcc9023236e453f53d874b234ee9d4a3fb209f2bbb772735633b98258506
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
507KB
MD5d7df2e2d786cc28d36487c80ba1cc45c
SHA12cd36e6a5646271175ad73a1b159718af2504cd4
SHA256e7fd7b313d3b32d9b89047b9f8421fba9cfc8249007521e795d91aba649be341
SHA51279aec5743563db8e98a9e9da8bed375297ebde63b497215f29fa745be5cddc9cd23a53492cc650e54873ad97cd6f86fe733a3552916547a4e2fc54ddecf24821
-
Filesize
816KB
MD592ca573667efda8d85cf2c1babe7c2d8
SHA152b793a083ee06580681ce8055a0aca86d1b5c39
SHA2561de459f73ce396d84f3ab388084f1ab21b6b34ce42bee0952232cd837a2f6ade
SHA51254de756e280bb541978d68c5bf5ec753f8489ebf5b430f605e31f29a0130e8f9c9479cc4c56ff5363104c58850f4b899e04e3fcf4fd146d712f1b1524f1afca0
-
Filesize
722KB
MD56885277d27f092d919abff7ad8f638c6
SHA1284daebcc4a42ef9446cc7d81967b3de8a534b72
SHA2563aa4b6200e000f2da9f37cbc0a0f96ca008b039838309762d228d7f3cc5c2658
SHA512aaf1f4fa769c54554130a7ab8c96cf557509305108042e465dc27c2a37f827a49dfc99fdca144fba183852e5cd72b3d98b78184d6923c145c6ee8013f232d823
-
Filesize
1.9MB
MD52e0195568e380ea532cedd56dbbe11b0
SHA166dd2e221b50383c370736730c3e7e4cf23b13b6
SHA25657957ed2cc7ed295ef29ede7e0d0458891b54462512710226c82d4b2d7f625f2
SHA51270f0b496ea0ee271cca79a0bdff594ffe5749e4be1a21b685810daff3e593c08a7ff2c2cfa16f1c067ade3d4b51ad54bf15b5fe4c21d6acbd7223dbee99266f1
-
Filesize
453KB
MD5ea81312bfa7b29b8b0248bb024b9d6dc
SHA199d6168c28e0e245738ab5e4badf9de4de0770e5
SHA256dc5b768469c70006b04efc60cb40c1c1c3f4024f25229a629b09938801ce48f4
SHA512e9f39b6acd04e32f33471a2776098753807621311f5196079d9019aacba79de8c5ec594eeb2dc17b3a205eef54387bd3d41ee03a84d07ef5216e5c6f4f85978b
-
Filesize
320KB
MD5caa67a771906494f8defd9d413d08e0b
SHA18a1647d67ba3d3136ac29919091dc7eeb9f67c52
SHA2569a5f3100cdad968d544d1fcd49238d54934ac30ff3da20815adad26b6c8ff4d2
SHA512fd979d2c39c2af20b4408d3332b3b24357aeeaf30c0f20aa212dbeaae3970f0790e4fc5d81b494e47d66c861e8d6260566fb41186e4f2452ae0e90b778c885c8
-
Filesize
210KB
MD538a89dadab728881638bea59535a486b
SHA19a1e7b9fdbb0fac8368cb35f6d91c6aa840c4d26
SHA2564a2f570a967a612181ec345ce21b1377b4a39d7a175e1467afc225827977845b
SHA512080f868beafd8eaef7c23bea87c00cabbade12c21abd2c237f3eb094a5ffe9a9f25143cd89be1d9ea9f4d92f7785ecf2306b696e5ca0e44ddda198524b33d5c1
-
Filesize
320KB
MD5bc5da83795b587fb1dfce2d6bef2d176
SHA1ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0
SHA256d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb
SHA512503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5
-
Filesize
3.0MB
MD5c309cb9865dfc6dbb7f977f4c0f722c0
SHA1b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9
SHA25651472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5
SHA512a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797