stormkitty | 1f5d9a0d8947fe2761530a5e024fcb655b04cbd57bad826d45956153f74938cf

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rdp_stealer.exe
Size

320KB
MD5

aed949c2645ab1e4671d9cbb6306c063
SHA1

a2cd06f61a2d220b81f62ca62ebe6df3246e6837
SHA256

1f5d9a0d8947fe2761530a5e024fcb655b04cbd57bad826d45956153f74938cf
SHA512

a23794c977667fb59d73ff9781d7262b1f02419bae3094717df0e5ff1ac194cd3e74d8badbd58899f5d03face7944becf7e517f3d82cd24b0f545e4a7b7ef3cd
SSDEEP

6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvx:3m/Q6P8j/svm1TXI5tZB

Score

10^/10

stormkitty collection discovery spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2068-1-0x00000000001D0000-0x0000000000226000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Downloads\desktop.ini	rdp_stealer.exe
File created	C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\desktop.ini	rdp_stealer.exe
File created	C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Downloads\desktop.ini	rdp_stealer.exe
File created	C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\desktop.ini	rdp_stealer.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
36	api.ipify.org
37	api.ipify.org
39	ip-api.com
68	freegeoip.app
96	api.ipify.org
2	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdp_stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdp_stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdp_stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdp_stealer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rdp_stealer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	rdp_stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rdp_stealer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	rdp_stealer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2068	rdp_stealer.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	rdp_stealer.exe
Token: SeDebugPrivilege	2532	taskmgr.exe
Token: SeSystemProfilePrivilege	2532	taskmgr.exe
Token: SeCreateGlobalPrivilege	2532	taskmgr.exe
Token: SeSecurityPrivilege	2532	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2532	taskmgr.exe
Token: SeDebugPrivilege	3668	rdp_stealer.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeDebugPrivilege	4464	rdp_stealer.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeDebugPrivilege	3972	rdp_stealer.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe
Token: SeShutdownPrivilege	4856	chrome.exe
Token: SeCreatePagefilePrivilege	4856	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2912	4856	chrome.exe	102
PID 4856 wrote to memory of 2912	4856	chrome.exe	102
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 4196	4856	chrome.exe	103
PID 4856 wrote to memory of 712	4856	chrome.exe	104
PID 4856 wrote to memory of 712	4856	chrome.exe	104
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105
PID 4856 wrote to memory of 1848	4856	chrome.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rdp_stealer.exe

C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
"C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
"C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb64cecc40,0x7ffb64cecc4c,0x7ffb64cecc58
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,1708400886519604509,7486410663516304355,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
"C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe
"C:\Users\Admin\AppData\Local\Temp\rdp_stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
406f6202f1cc192aa2908e5e16a0258b

SHA1
d2ba2b8c4786116ce5759d402db13ccf271c3916

SHA256
249e32acdf3682dee666b52e9de98454cebf2fb493de4fa9f46a75c003e6a114

SHA512
827e15d85313d18617cab97cdfa2be90054304708f83a603902b81bfbf3d64bd3fa5b1d45894b94041d5fe2e7ce88482643200ab26712f9e6468c0d9f8a04ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c60c26b0c1451118f0cf8f354a981cab

SHA1
020f788101e6f6400da7d5ed333095af5890c843

SHA256
8c301147278c53943df4e44e8a63c7b4d3e1876e51ce49070020e170ca858afe

SHA512
6b591dcaa38380879d3ed45b4dd3474b85e0bd75b0243b61d93a47271f20cfae61eb4c70824e67a42a095021677280584385c94d7d3773582a7258b13c8c6775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
79ea5b29259d2da4c9759063200b0f11

SHA1
b745a2cb97794015bd324262a79cf383f4147a04

SHA256
6e099623f4d0979bbed06676b45a6a3ad5f6999aeca4e56250ef0968bbdb07e4

SHA512
4a4fab414062307976a0274e99d3b920d17b31e9600ce26d1fb0c33319285f29c6d2ec96ba3d6a98e13788be5387f88f2ae7615b66a3e2ab3ddf6051e089feec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rdp_stealer.exe.log

Filesize
1KB

MD5
e7e52214e6567b203ac414633fd4ddf4

SHA1
f158c007aefebdfafd0e8c4d9efaa2ca1a0918a9

SHA256
fb25171f9aa532752ce6394e9b7eb780aef40109db1e73d560487c517f505e0e

SHA512
8a7258bb5c30cbd75e9ef8a63c9bc5acf8597593dc8dad6ca3d5090350b25da44c8f458410cd2d7108700f2d75205b13a2719614f3a3786ef32aba17e9510b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
f81c619cf9a4d914ef742e20e6a8100a

SHA1
1e114d991f25e29c05b41cfbe6088bcb2de0161a

SHA256
9967b19424ce3d47a6794df3cb6fcae6728b4e352c80de74bb228f3f83fa2af2

SHA512
99130e9e3f20b6baefb26868db94c32449360fa8fc1db2db38caff8e7afd948c492603a2f2e9823bcad348b31870e0344832dff1b1877118c2ebdbcab11907a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51B5.tmp.dat

Filesize
114KB

MD5
d9f3a549453b94ec3a081feb24927cd7

SHA1
1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8

SHA256
ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73

SHA512
f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57B4.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EBC.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\Browsers\Outlook\Outlook.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Desktop\CloseInstall.jpg

Filesize
372KB

MD5
503d11e454a489774a070accb45da681

SHA1
14ad6629a82d0932579d72306ed3d330e33b27f6

SHA256
20bcc8212e61eced7d43220416ba984b4037299a71c227438841bc71b8a3c3dd

SHA512
7bcb9bcd61ba2d40b351fbed88e2fd75bb3b605c051dbd089d687f04b2db10f0d4369da8cc5711aaaa63ebc10f3f4276063b7012b2dad92b329c8b6445e0f677

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Desktop\ConnectResolve.txt

Filesize
670KB

MD5
227b74c79bc127840aa7152ee94fb6dd

SHA1
5079150f46dba3949218b5cbb1482a34d6ba9a06

SHA256
d53530f0f82fdd5563c5b3c12a06423828a346d77429a52d53e0f9fab2349d6b

SHA512
436852f663b07ff433eba137d1d4ef861c5639a7d82e920cb36d3033c464b6685aae0f382201f8d087efb7cb2cee070ea08d81d2415c001e562ab81c98858e7f

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Desktop\ConvertFromWrite.docx

Filesize
14KB

MD5
90b8f82248001dd891521d1b8cd28edb

SHA1
f8940e5d9edcdcce8acf10b6846543e03372ccad

SHA256
0072c0dc197925cab10856d54d1a278eca463b046bd1405d3129baa46cd065c2

SHA512
8343ce9f6cbac3f94be79d74c914f8dbd16fe5b2ae2c4c14b9d8e4e3c5f213f540a808f42952374ee95bc09f5f5dcbfec3aff4da205ce81d0cb121534116ded1

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Desktop\DenyExit.png

Filesize
397KB

MD5
94d3e452efb92efd933e650e5395818f

SHA1
3f46c70ceaa59b4e655147cc454659045d11d7ee

SHA256
61e8d98c742e39edf370a6e73121e5acc9aa75271aad5ee484378ac0ef9f3cb0

SHA512
743ab25866d5061935e4163d5f5514d2b11242c18cb575be30761c9af8f8daad3699132af02b2dddefe6d231fe4a908379a37ad5380db149c5ae9628db69e1ef

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Documents\AddUnpublish.docx

Filesize
2.5MB

MD5
34560a1f38bfbd463adb48e4de9ffb49

SHA1
64bc1426230a96c326c3c071ad31da02429f2f8e

SHA256
d77ba3f1bcd55feec82df97777c6d58052190ef332fe0a4afb2cfd18d0857327

SHA512
a4f3aeb53118a79170ce995d724f7d544dd92dbc2cad9e174e78a0703025d19dc3a739a2c63a0b132138cea539112eda09f466793162974c4f70e515063b25ed

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\ConvertWrite.png

Filesize
768KB

MD5
0ad7129136a09863538dde026a83a47b

SHA1
3dae450d499332b0d4612ca6342da8e3ba6ffbcc

SHA256
8cff5a6a6813da3f8dd075e4d61dbb7fc54070d126a7450f9edcd3a373dd762f

SHA512
b1900c627694fe837934b36bef059e132ffa0fca0ebf6b9c99c002030295fcc7345716069faf582967f6f3ee0133a6e80b82af9941e1d8a5b67827f28885b368

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\DismountSkip.jpeg

Filesize
384KB

MD5
b0a79e79cf89f9498439078cecbea59f

SHA1
4f96f2abe9b50c01bb77231a70393de0cbd36354

SHA256
e2546958cc1a5c2e50d137f00b3d072a5183a5b139b9671a39ed49450fe446ae

SHA512
2c2c9c3f1ff93a8661af27a9a81f8d5a5952af7a0713701fbc3e885a51a66631d7a90ed14ae2c79feb786bb6d9abcfb5f166c8f57e9ac17d8e108dadefe67650

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\GetRequest.jpeg

Filesize
998KB

MD5
b6b7f9dd15bc8b1671fd5b9f644c71ff

SHA1
53b1703154902eac5b5cb3e78693a829c25d10f0

SHA256
c528e4e584b824008da1d4afac44d2868b765fcad5d911b78253262145dab555

SHA512
c6084427395cb9204a721bfc461fa09256dee37ee9a5652a02b6a1568f39e0cfcac39e227068edf71b0e2fa71d866287255e38e45fb49625a199d424fc55b510

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\FileGrabber\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\InstalledSoftware.txt

Filesize
1KB

MD5
bca4ee4b0d73edf2835ac08ab38d1bd9

SHA1
a833d7663f5edecc050b37b7efd1d563268ea0df

SHA256
0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f

SHA512
48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\Process.txt

Filesize
4KB

MD5
af6d5d64452912f679e457029e17b8cc

SHA1
6fbb42ef198908fae76bcff48a7f925470adfbf4

SHA256
11064af58cf6235444b75ca181569d44d6d2c4ff1514a6430a4fc71fc36d38a1

SHA512
b5d77b8882b94a380e27d9d772748da9632e1ce303e3e193c940eabd258a1e46f2bd3c4c0df7db39adbdb834791a47e9f052fe7824495c1dbcfc116d4515e742

Download Submit
C:\Users\Admin\AppData\Roaming\SPDEBJWH\Process.txt

Filesize
4KB

MD5
516d750d8d019aad734e0023e93e5050

SHA1
333975707e4f702cd31592b7f5f0c9f127e71c5f

SHA256
f09ba773a49606259356eb5235cc2376093a7ed8b60e840fc885e16050e388ec

SHA512
a2beb75c85a66086c5c1c24acfb3c37a0e3239a188428246aa39fd8debed8852d274e1deb1cd2987140c86e79ef578ea96551b5e271e8647e0044a7ccf81dcd0

Download Submit
memory/2068-201-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2068-217-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2068-236-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2068-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x00000000001D0000-0x0000000000226000-memory.dmp

Filesize
344KB

Download
memory/2068-5-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2068-24-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/2068-25-0x0000000006540000-0x0000000006AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2068-27-0x00000000063D0000-0x0000000006436000-memory.dmp

Filesize
408KB

Download
memory/2532-156-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-157-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-145-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-146-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-147-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-155-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-154-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-153-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-152-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download
memory/2532-151-0x0000018DABD40000-0x0000018DABD41000-memory.dmp

Filesize
4KB

Download