stealerium | 3c62a4a3091cd0f0a91da1e92bf88c96e0da5f81dd0b434ffb5fb55948928158

Analysis

max time kernel
23s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
20/03/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build22.exe
Size

7.0MB
MD5

0176388641637593938f5278b326a494
SHA1

39d6cf486e4f292605f8cf0f6a19097e59462d6f
SHA256

3c62a4a3091cd0f0a91da1e92bf88c96e0da5f81dd0b434ffb5fb55948928158
SHA512

b00cd6c016b4844b8ac7b434f2bd7d621879eed815210e9a846741efd49121348755ef4d6ef9609965abbf1a154c0017c56b9fee79854bd031e3eaddfc4e4ca7
SSDEEP

196608:XMbuV25DeTD+oqzukSIlLtIY79n8SI75bWAXAkuujCPX9YG9he5GnQCAJKNc:AA403qakSoR7tfI7ZtXADu8X9Y95GQLJ

Score

10^/10

stealerium collection credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

stealerium

https://api.telegram.org/bot1616004787:AAH60oNqVa82nffKp0gB2yn5A_jmiTy0_XY/sendMessage?chat_id=

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5088	chrome.exe
4912	msedge.exe
5876	msedge.exe
4868	msedge.exe
2724	chrome.exe
4132	chrome.exe
4048	chrome.exe
5840	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build22.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build22.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build22.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	icanhazip.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
976	cmd.exe
3036	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	build22.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	build22.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
932	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4324	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869033865434217"	chrome.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
2724	chrome.exe
2724	chrome.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe
6092	build22.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	6092	build22.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeDebugPrivilege	4324	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2724	chrome.exe
4912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6092 wrote to memory of 2724	6092	build22.exe	79
PID 6092 wrote to memory of 2724	6092	build22.exe	79
PID 2724 wrote to memory of 3120	2724	chrome.exe	80
PID 2724 wrote to memory of 3120	2724	chrome.exe	80
PID 6092 wrote to memory of 976	6092	build22.exe	81
PID 6092 wrote to memory of 976	6092	build22.exe	81
PID 976 wrote to memory of 4684	976	cmd.exe	83
PID 976 wrote to memory of 4684	976	cmd.exe	83
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 1984	2724	chrome.exe	84
PID 2724 wrote to memory of 3748	2724	chrome.exe	85
PID 2724 wrote to memory of 3748	2724	chrome.exe	85
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87
PID 2724 wrote to memory of 2880	2724	chrome.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build22.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build22.exe

C:\Users\Admin\AppData\Local\Temp\build22.exe
"C:\Users\Admin\AppData\Local\Temp\build22.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
  2⤵
  - Uses browser remote debugging
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffdac81dcf8,0x7ffdac81dd04,0x7ffdac81dd10
    3⤵
    PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1924,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2104,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=2100 /prefetch:11
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2416,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=2412 /prefetch:13
    3⤵
    PID:2880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=4128 /prefetch:9
    3⤵
    - Uses browser remote debugging
    PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=4580 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5148,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=5144 /prefetch:14
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5184,i,7660476167394600858,7979485224636145679,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --disable-logging --mojo-platform-channel-handle=5196 /prefetch:14
    3⤵
    PID:1996
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4684
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3036
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:4540
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  PID:4788
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:132
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
  2⤵
  - Uses browser remote debugging
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffd9a94f208,0x7ffd9a94f214,0x7ffd9a94f220
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2076,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2072 /prefetch:11
    3⤵
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=1980,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=1972 /prefetch:2
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2380,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2372 /prefetch:13
    3⤵
    PID:708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3428,i,5297282508190289646,9947585960199011123,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6c029a8c-afab-4859-9cd7-885684d2b928.bat"
  2⤵
  PID:1392
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4640
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 6092
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:932

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
173B

MD5
70e1643c50773124c0e1dbf69c8be193

SHA1
0e2e6fd8d0b49dddf9ea59013a425d586cb4730c

SHA256
4fe3f09cb4d635df136ea45a11c05f74200fc6e855a75f9a27c0a0d32a2f632a

SHA512
664e5d9263c0137f841daeb3dff00010ffeb7291ed08ccf6d0483200cd6d6bd3c9d31ea7e67a9de6aac591397060d8f01e8469bbad67d8e2f1c3900ef24c3679

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\Browsers\Microsoft Edge\Cookies.txt

Filesize
2KB

MD5
9bb74ea0d69df4570a5c51e9f79e65d2

SHA1
099024d2efcb0022aaa28f458c72cdbf57d977ff

SHA256
44bbe041830572889af7e68cda92571ae32d8aa75068a68dd786b6a8cce951a1

SHA512
418fe9b54d71eaff9f6e864c4478f09ed46218d8df8320012db62786b3394d48ca1e6a059e698302deeb23145ca170f36c14ecb2103a2ab128bf5c8df6a5e85d

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Apps.txt

Filesize
6KB

MD5
e4ded193433bfaed46da466eefcc2c35

SHA1
56151b0cb50efcac84e88cb623af4fc10f82087d

SHA256
b5190a32744b506ceec36dcdade88886a20d999ff72c93f960665cb90defe05c

SHA512
2948192405d25b8b18258d8f30183d082ae5bd53cc2c17743b6cd48b499f98e0820df59ac99c03dfe719202f95d39e761b3881e79dcb1b07504971e0c6a9bcfb

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
4KB

MD5
ba6622fddef12a0498e821efd7525673

SHA1
503c13614fb2ced91493a82494bf04f381d9240e

SHA256
dd30e721c388391c9900ca49473a5be78440f4bcb3d29dbf9a7fb1cddbd182bd

SHA512
e6706e34dac2c2da526c3cd62c861702beadc7f6791a25e0300a9ddc60135d1e2a41ac68f1c76cb3a3d9689de6d22fcb9002dbdb4f8dd26c3180489976969095

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
4KB

MD5
8ce8172529d664ee2e01a70dbebcb506

SHA1
b1c97d09342b09c809ed36285408c4648e8fe3df

SHA256
129e3edd7baa1023ffa2601a7358259f4c3acb144e510aa4cdd16a0489189d9d

SHA512
241fac8a272000f6f1c5011f351b3f5d0c8cd2f6745573b243ee8a82790c75cd19af87bf9083c1f7a95df7dd7bcda19375173ef457b3a08e4df9acef2ba08ae4

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
331B

MD5
869770d91bd5fc00d7565cf6674d9f75

SHA1
3408435206996e4c308bd57d0194756dffd88a05

SHA256
d5cbeb801901c5137d2cc526c5daee870d41379514c462ca48201f1895937096

SHA512
c9d15f4cfea23483e9424de84faf57c5f606ddc10af0c2b773fbd71dac1ca44433ed41073395fb4b879337bb59d6c0c01355f91b854148c918f3eaa8818f08c9

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
698B

MD5
44ae97b373f918e74a27a85fcd5ccde5

SHA1
bf436bc93c47775e56e1afac2311855a5a4869c8

SHA256
a570e2e40b94968bea06d36a0a8aadb3b6fc0bf548dde168afb69f1f21db60ef

SHA512
7092739e37df14d841aac74f24d8b6cd6d4c015934699033246dfb4a6403875a239a3244429d9793616e935b1b1ff447260cc52dfd733f1b9374b2bbc88143a9

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
1KB

MD5
764780dc41c32cfcffcda638b8e7e686

SHA1
65acd11ad72de4872e98e202dbbb5b4c8e33edea

SHA256
325ec926c909a4b96871138445038ff1566ba155d07b3ea927fbeefa175ddfaa

SHA512
27b681bdd530a21c2213dcbabcc9c7d2cb592e289fc716dbd9d49731726864c4d5990e106187a3e9647ad929649ac3a81e0efe24791e9179054abdd4e89b627b

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
1KB

MD5
ea7c69f70a77463dd5d23a08796b2da7

SHA1
8e846181fd9e4a1e9b9de257b85067b1956b858c

SHA256
dde7e77cdd65e5f8b7dc26560c42e292115997db37010b99bc3989c846b6ba18

SHA512
185fa47bc2fa56f3c4656c180b3a347c2e3b5d594f987dacb376acbd215e92441c0eae432f9aabe403a673418cee52014e587ec58f64bbfb5d56d2ca371c993b

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\Admin@KMOMNOMO_en-US\System\Process.txt

Filesize
2KB

MD5
3b06a67eb3991ea413f58a1edac5fcee

SHA1
4e5b11ecea85d62a84b272900910bfccd3c2d4c7

SHA256
0c117df36290929c8e53ac942e179c8c891ced83b28464b0c0c051021d8be44c

SHA512
c6251336d672d9fe89a79704bbbb33035e0862a17c45b8bdb90a363f8a65e5bc53258e0b6f51d1cad119ebd49f81542c7394f0342d56012825ef63735699c77c

Download Submit
C:\Users\Admin\AppData\Local\1d47ee26b28a00e1a657013442a8de51\msgid.dat

Filesize
4B

MD5
d880067f879409df09ac50ba315707aa

SHA1
51482b4f798f84addc996e559ea54571a72642b2

SHA256
670b08a8750893e8ba690b1b11f3138c9c6935977a68486854a0a518ce4156ce

SHA512
97798c8f33e4c6d560e28a26de5bcf61ea641df4c4925c265cfd2f0ca1141667e4c55b423a5d73d57ac58bbb1954359978075ba811cde71e0b4991e759964b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
26488f56cc3c2fdf4f768747ff34307b

SHA1
9cec388380cf401f6fc8fc158f9db78eb5165f5b

SHA256
7a43971d46bc7fd7adf08aecbec58b6a8ad5982543cec8b54d1b2de16d2c3d77

SHA512
29638392083e742aa1b31a733b81ef7dec189bae5837f5558f6536d5e395aa7cd2359b0003e954a19716288bf38c70ff5ccf103641450afe850e853efa940ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
1KB

MD5
968adb0f581ffb23ac0a5362f18b65af

SHA1
71a2362eeed4f36caa927d106c9b7be6970a8347

SHA256
842bc584359d52d3abf8c62ec899fc75c9ad47bccd10b00ba6febfed77b1beb6

SHA512
e22b97ff29e1bd2d411f2638e215e6e25d2e63fcf91af7055b8cb649177b4b3307df07b31789debfa6efb4196bba7be287bcad834d2b2c02fdd6fe45d2582fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe57a613.TMP

Filesize
1KB

MD5
0ed71fb678fe0c2565b82c6a1bbec1db

SHA1
640caa8b48406ef1cbb8726734362e893811a0fc

SHA256
7853098169b7db5d11fa96d9ea38c702e9ab3047f54c3f1ab019a3caf836cfbb

SHA512
c4ae185596fb387c302df734003755615a9c4e7eb9b97fa3d6c0f958b6d00d6e5d614a8d080dc5f56760f756f3e1409909d0ef686929db7bca75d32a4a707da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
efa6d9d2cb2a3d7fe22e98ef4089dd52

SHA1
f9adc9a3300f76614ecda41b2a8f836ea32c2f85

SHA256
2c884998b6d6b4b5d668179a49d8e76264721eef8b42bb5bebf37ca69545b637

SHA512
85e0090474197cc26daecb23f1b46e14455d5e606fe28100513760f950dcfb6cbced76791f3848524ca18ecb4f355b071a42178f3f1c3532489b34dbcc38ab63

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c029a8c-afab-4859-9cd7-885684d2b928.bat

Filesize
152B

MD5
c8bd8a0674f95bf717a50ef931f1a811

SHA1
06b5500ce7685f14d20a56f6b57c25865acae7da

SHA256
2ea7a0d9e8785b7955cf29d87b9d00e81204442c99fc091917d34cee8056ae2d

SHA512
f6e4a783bc2f8bc21ee7e055f4af4e1a93d23b254a5ff3e3e3d7154af66562ff313a93c08527945d6c25dee0c83fef6866dab571523a4b88572555f6920a40d8

Download Submit
memory/6092-141-0x00007FFD9EFF3000-0x00007FFD9EFF5000-memory.dmp

Filesize
8KB

Download
memory/6092-147-0x000001E2FBFA0000-0x000001E2FBFC2000-memory.dmp

Filesize
136KB

Download
memory/6092-13-0x000001E2FBD10000-0x000001E2FBDC2000-memory.dmp

Filesize
712KB

Download
memory/6092-2-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/6092-394-0x000001E2FBF20000-0x000001E2FBF64000-memory.dmp

Filesize
272KB

Download
memory/6092-395-0x000001E2FBFD0000-0x000001E2FBFEA000-memory.dmp

Filesize
104KB

Download
memory/6092-1-0x000001E2E0C30000-0x000001E2E133E000-memory.dmp

Filesize
7.1MB

Download
memory/6092-145-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/6092-0-0x00007FFD9EFF3000-0x00007FFD9EFF5000-memory.dmp

Filesize
8KB

Download
memory/6092-484-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download