stormkitty | 0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82

Analysis

max time kernel
1200s
max time network
1174s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25/10/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Find Wallet v3.2-Crack.exe
Size

3.5MB
MD5

68f929dc1286bf7af65bf056845f9b42
SHA1

1f1d9848811b3c00066f8be86035fda994ceedfd
SHA256

0d20648267d3004ba95b04f9ef01f3f6e40644b46773990807c2741adbdd3d82
SHA512

d2019f58239c44e8a0b2e92c04985943c998e32974b9a322fd3d925c13ec83b733520ddc06c15b2e43ab2587b1fbb4f799b6972f5f9b4069c5d7023cf720249a
SSDEEP

24576:GfP8j/svhs+hp5kH4vysV988IMf4r27GCS040YVqxzvXyKxNt38GT8JDPVv5+2tp:UP8j/MW+ise8IW4rF5ovXy6t7BQj1

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001ab1c-6.dat	family_stormkitty
behavioral1/memory/3876-16-0x0000000000A70000-0x0000000000AC6000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
3876	Client.exe
2728	Find Wallet v3.2-Crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\Saved Pictures\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\Camera Roll\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Desktop\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Documents\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Downloads\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Pictures\desktop.ini	Client.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.ipify.org
21	ip-api.com
1	freegeoip.app
5	freegeoip.app
19	api.ipify.org

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Find Wallet v3.2-Crack.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133743093749449966"	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
3876	Client.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
2752	chrome.exe
2752	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	Client.exe
Token: SeDebugPrivilege	4912	taskmgr.exe
Token: SeSystemProfilePrivilege	4912	taskmgr.exe
Token: SeCreateGlobalPrivilege	4912	taskmgr.exe
Token: 33	4912	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4912	taskmgr.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3876	2752	Find Wallet v3.2-Crack.exe	73
PID 2752 wrote to memory of 3876	2752	Find Wallet v3.2-Crack.exe	73
PID 2752 wrote to memory of 3876	2752	Find Wallet v3.2-Crack.exe	73
PID 2752 wrote to memory of 2728	2752	Find Wallet v3.2-Crack.exe	74
PID 2752 wrote to memory of 2728	2752	Find Wallet v3.2-Crack.exe	74
PID 2752 wrote to memory of 2728	2752	Find Wallet v3.2-Crack.exe	74
PID 2728 wrote to memory of 2752	2728	Find Wallet v3.2-Crack.exe	77
PID 2728 wrote to memory of 2752	2728	Find Wallet v3.2-Crack.exe	77
PID 2752 wrote to memory of 4568	2752	chrome.exe	78
PID 2752 wrote to memory of 4568	2752	chrome.exe	78
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3344	2752	chrome.exe	80
PID 2752 wrote to memory of 3884	2752	chrome.exe	81
PID 2752 wrote to memory of 3884	2752	chrome.exe	81
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82
PID 2752 wrote to memory of 4496	2752	chrome.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Client.exe

C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Find Wallet v3.2-Crack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3876
- C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe
  "C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://t.me/myfindwallet
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe2289758,0x7fffe2289768,0x7fffe2289778
      4⤵
      PID:4568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:2
      4⤵
      PID:3344
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:8
      4⤵
      PID:3884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:8
      4⤵
      PID:4496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:1
      4⤵
      PID:2216
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:8
      4⤵
      PID:2684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:8
      4⤵
      PID:4132
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2612 --field-trial-handle=1660,i,544123661550308282,5982693489380362299,131072 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
942a4b9a3eda55bf96aff5c92952e16d

SHA1
cbb8a40892ab6d35efad1098b7f1b02383e9c0e3

SHA256
169c07c88e7e06a3ff0269ad4489f0b81a404642cde521f8e8ef361fcf7f99f3

SHA512
a45b9f5dada2d10a41101d3282fa9b16a7c3cad92bebc318c779485c6672422429ae1d53b6e02be520d725542e92faafc66edff77d028aa6424ea7eec6bbf97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
931B

MD5
4d5c3af6abf83de5a9b55e063fdb6d34

SHA1
91d5242fba7a7e3040c8654c2defc88dcfed46ad

SHA256
88704c50f106579d76aabb5279d72e83b93fa8713908750de2dfb659c79cc4e7

SHA512
1dfa5953cfd043dcefaa5074794ad3aa5cc7bf0d53d0878c1cce0b7b9aa1888e76efd04e1823d288cf452320a3221491c7616b841018624165070729aae5d152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
3ddab5c2fef2db311468ac4751b59dbf

SHA1
73cd1e7a433a0cd2a466c96935122df218402045

SHA256
f58e89737a2a3ec69d686566a8b07c6a949761629c77fa205594ca0874bec641

SHA512
b62910e1f01640b51051d926aee6e962b35fa218c7762a2bd7abbed66eb5c932238f499d5d7592b8f2e1f43c818f5d3552c2f3bf57f62d52ba72630a278c5fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
977ae53463d93737eda15ae6849b3070

SHA1
7e7d4515cbc2aa7293114c5c30ce6361bf1630af

SHA256
279b3816837e192bbe2f33b215e1aef59fda8aa050308eba81bebd0308367f0a

SHA512
6e2aa75a546ac61649933d3e0fff81752d328829ecd5f7d03e899509a3be2dc0da18d6e21f09fb7d4a18767322a2690251e53ba499d98457e9af68c927d26b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
93662808940bd3685328eb73b53a59fa

SHA1
20b240eb7335490cc21188331caae2efde04f284

SHA256
b03552f5f4d1f5be553f04e3a8af8560e602fbb985eeec01ade4bc43dc7a30fc

SHA512
4c081a07de446256b7bda5f9a016434fa51b488330ae6cbab84ab7d88128f02b601e458ea8507290e6ad7d19c928cd00207eade2e8f698ae34db76fc83ac3cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ab1d1e4d742d591b7a1a60b50aba6c6b

SHA1
d17e68fdb9f58f3a568f4ad9b14f48772d861bf5

SHA256
8ba098ffcf05e04cf43615b0816ee65709823436cabda0b1cd87ace1e6a39d3e

SHA512
0579783f42fcde6743e8d4776528d4091570489e53e6d18cda0369172f927c08ccf34d0da04e7d3b2ae3c012b0728531d4ffee0b0417fd84ab300db0e3ea3263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
400020b802eb525386c58b465418c7d2

SHA1
98d2ce7c7ae86b7201ad8e2ce1c3d0abcb409459

SHA256
199154b31382605a9d3d296f6a554e20ee54d9cfc3ba54da94e2180c3c27ccff

SHA512
6a1d8958dfaf766dadb1969c92e4af83cbd96df367f78c70b026498d7cfa737eb65bdd54908d6994fad2d0f66c0511c94aaf9b26679d5c633db6ee149f9a16f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
fd4a5d23a048e5f9b9f526edc2456411

SHA1
e67dfadb3d26b971a05b7a073561cc3a8077274e

SHA256
09e4b1f1037deb6a53e5c3bb5031e68cacf53ce7837c3764e808a829472b1fa1

SHA512
cfdf8010e0dfe00ad6a79fcf133ca8f467e76f7c28b643405d83caab9536791614c5a5b43d31a9eabfd0a67f48a6135cc00e653f1cc9fb38620f99e93b61d1ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
312KB

MD5
cab11fc9e7fdb2dc1af54b3fc19160f3

SHA1
31fdf88c5aef297fbbe3e67d535bcaa5d090b28d

SHA256
26ee36aeeb9173fa6dffb1dc1903a17c45f69ba88f64feebfaebba45a3a9f7e6

SHA512
bf409ad5b6ca89c605b5ad44c4a5a2e17523207d12214d6f066a494189e2b2db544adcc9023236e453f53d874b234ee9d4a3fb209f2bbb772735633b98258506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Desktop\AssertConfirm.pptx

Filesize
507KB

MD5
d7df2e2d786cc28d36487c80ba1cc45c

SHA1
2cd36e6a5646271175ad73a1b159718af2504cd4

SHA256
e7fd7b313d3b32d9b89047b9f8421fba9cfc8249007521e795d91aba649be341

SHA512
79aec5743563db8e98a9e9da8bed375297ebde63b497215f29fa745be5cddc9cd23a53492cc650e54873ad97cd6f86fe733a3552916547a4e2fc54ddecf24821

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Desktop\ReceiveMount.pdf

Filesize
816KB

MD5
92ca573667efda8d85cf2c1babe7c2d8

SHA1
52b793a083ee06580681ce8055a0aca86d1b5c39

SHA256
1de459f73ce396d84f3ab388084f1ab21b6b34ce42bee0952232cd837a2f6ade

SHA512
54de756e280bb541978d68c5bf5ec753f8489ebf5b430f605e31f29a0130e8f9c9479cc4c56ff5363104c58850f4b899e04e3fcf4fd146d712f1b1524f1afca0

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Documents\InstallResume.docx

Filesize
722KB

MD5
6885277d27f092d919abff7ad8f638c6

SHA1
284daebcc4a42ef9446cc7d81967b3de8a534b72

SHA256
3aa4b6200e000f2da9f37cbc0a0f96ca008b039838309762d228d7f3cc5c2658

SHA512
aaf1f4fa769c54554130a7ab8c96cf557509305108042e465dc27c2a37f827a49dfc99fdca144fba183852e5cd72b3d98b78184d6923c145c6ee8013f232d823

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Documents\LimitTrace.ppt

Filesize
1.9MB

MD5
2e0195568e380ea532cedd56dbbe11b0

SHA1
66dd2e221b50383c370736730c3e7e4cf23b13b6

SHA256
57957ed2cc7ed295ef29ede7e0d0458891b54462512710226c82d4b2d7f625f2

SHA512
70f0b496ea0ee271cca79a0bdff594ffe5749e4be1a21b685810daff3e593c08a7ff2c2cfa16f1c067ade3d4b51ad54bf15b5fe4c21d6acbd7223dbee99266f1

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Downloads\SubmitOptimize.xls

Filesize
453KB

MD5
ea81312bfa7b29b8b0248bb024b9d6dc

SHA1
99d6168c28e0e245738ab5e4badf9de4de0770e5

SHA256
dc5b768469c70006b04efc60cb40c1c1c3f4024f25229a629b09938801ce48f4

SHA512
e9f39b6acd04e32f33471a2776098753807621311f5196079d9019aacba79de8c5ec594eeb2dc17b3a205eef54387bd3d41ee03a84d07ef5216e5c6f4f85978b

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Downloads\SuspendEdit.pptx

Filesize
320KB

MD5
caa67a771906494f8defd9d413d08e0b

SHA1
8a1647d67ba3d3136ac29919091dc7eeb9f67c52

SHA256
9a5f3100cdad968d544d1fcd49238d54934ac30ff3da20815adad26b6c8ff4d2

SHA512
fd979d2c39c2af20b4408d3332b3b24357aeeaf30c0f20aa212dbeaae3970f0790e4fc5d81b494e47d66c861e8d6260566fb41186e4f2452ae0e90b778c885c8

Download Submit
C:\Users\Admin\AppData\Local\NDTNZVHN\FileGrabber\Downloads\UseDeny.js

Filesize
210KB

MD5
38a89dadab728881638bea59535a486b

SHA1
9a1e7b9fdbb0fac8368cb35f6d91c6aa840c4d26

SHA256
4a2f570a967a612181ec345ce21b1377b4a39d7a175e1467afc225827977845b

SHA512
080f868beafd8eaef7c23bea87c00cabbade12c21abd2c237f3eb094a5ffe9a9f25143cd89be1d9ea9f4d92f7785ecf2306b696e5ca0e44ddda198524b33d5c1

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
320KB

MD5
bc5da83795b587fb1dfce2d6bef2d176

SHA1
ccfd73ae06c12385a19f0cc836ac8a8bfda8c8d0

SHA256
d8539aec2e01d20b840f4c35ae675eca7f85de828282d03c4aabad6034cd8ffb

SHA512
503399a12376fd8036d2cc89cfb0652038e708dc9f098c55dfd19c04ff0646ffce31ecbfd84271ad2334058a2aa074bd53f96483d1fcb32bdacdc4a965957ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Find Wallet v3.2-Crack.exe

Filesize
3.0MB

MD5
c309cb9865dfc6dbb7f977f4c0f722c0

SHA1
b3a7d7fbedfeb6edd951f4b5d9a28b2af44dbfe9

SHA256
51472e512316807270d85560bf6e3030355007c36a4f74d59a286411bb5378b5

SHA512
a70067011aa20c814d927e628e229800b0ea6918be755dae17d27edb5ea5072de595d115cd134a8d77ab87e323657b6a0a22e31dbf6a74278e07219e64960797

Download Submit
memory/2728-52-0x0000000008C90000-0x0000000008CC8000-memory.dmp

Filesize
224KB

Download
memory/2728-358-0x0000000017ED0000-0x00000000183FC000-memory.dmp

Filesize
5.2MB

Download
memory/2728-357-0x0000000001570000-0x0000000001592000-memory.dmp

Filesize
136KB

Download
memory/2728-222-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-17-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-224-0x0000000008630000-0x0000000008638000-memory.dmp

Filesize
32KB

Download
memory/2728-18-0x0000000000C50000-0x0000000000F60000-memory.dmp

Filesize
3.1MB

Download
memory/2752-15-0x0000000073D80000-0x0000000074330000-memory.dmp

Filesize
5.7MB

Download
memory/2752-0-0x0000000073D81000-0x0000000073D82000-memory.dmp

Filesize
4KB

Download
memory/2752-2-0x0000000073D80000-0x0000000074330000-memory.dmp

Filesize
5.7MB

Download
memory/2752-1-0x0000000073D80000-0x0000000074330000-memory.dmp

Filesize
5.7MB

Download
memory/3876-20-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3876-249-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3876-16-0x0000000000A70000-0x0000000000AC6000-memory.dmp

Filesize
344KB

Download
memory/3876-223-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3876-14-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/3876-46-0x0000000006AF0000-0x0000000006FEE000-memory.dmp

Filesize
5.0MB

Download
memory/3876-51-0x0000000006A10000-0x0000000006A76000-memory.dmp

Filesize
408KB

Download
memory/3876-221-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/3876-45-0x0000000006550000-0x00000000065E2000-memory.dmp

Filesize
584KB

Download