salatstealer | hxxps://workupload[.]com/file/e2sDH6wVpXe

Analysis

max time kernel
133s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/e2sDH6wVpXe

Score

10^/10

salatstealer discovery stealer upx

Malware Config

Signatures

Detect SalatStealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/3016-232-0x0000000000020000-0x0000000000B9C000-memory.dmp	family_salatstealer
behavioral1/memory/4756-253-0x0000000000020000-0x0000000000B9C000-memory.dmp	family_salatstealer
behavioral1/memory/388-254-0x0000000000E80000-0x00000000019FC000-memory.dmp	family_salatstealer
behavioral1/memory/388-255-0x0000000000E80000-0x00000000019FC000-memory.dmp	family_salatstealer
behavioral1/memory/208-259-0x0000000000020000-0x0000000000B9C000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 4 IoCs

pid	Process
3016	ElysiumExeFree1.1.exe
388	WmiPrvSE.exe
4756	ElysiumExeFree1.1.exe
208	ElysiumExeFree1.1.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000242bd-214.dat	upx
behavioral1/memory/3016-216-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx
behavioral1/memory/388-230-0x0000000000E80000-0x00000000019FC000-memory.dmp	upx
behavioral1/memory/3016-232-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx
behavioral1/memory/4756-251-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx
behavioral1/memory/4756-253-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx
behavioral1/memory/388-254-0x0000000000E80000-0x00000000019FC000-memory.dmp	upx
behavioral1/memory/388-255-0x0000000000E80000-0x00000000019FC000-memory.dmp	upx
behavioral1/memory/208-257-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx
behavioral1/memory/208-259-0x0000000000020000-0x0000000000B9C000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\023d6d89-5a23-b34d-93d5-27516aee895a	ElysiumExeFree1.1.exe
File created	C:\Program Files (x86)\Reference Assemblies\unsecapp.exe	ElysiumExeFree1.1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\unsecapp.exe	ElysiumExeFree1.1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\023d6d89-5a23-b34d-93d5-27516aee895a	ElysiumExeFree1.1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	ElysiumExeFree1.1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	ElysiumExeFree1.1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElysiumExeFree1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElysiumExeFree1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElysiumExeFree1.1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877423833503924"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
3016	ElysiumExeFree1.1.exe
3016	ElysiumExeFree1.1.exe
3016	ElysiumExeFree1.1.exe
3016	ElysiumExeFree1.1.exe
388	WmiPrvSE.exe
388	WmiPrvSE.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
4848	chrome.exe
4848	chrome.exe
5928	taskmgr.exe
5928	taskmgr.exe
4756	ElysiumExeFree1.1.exe
4756	ElysiumExeFree1.1.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
208	ElysiumExeFree1.1.exe
208	ElysiumExeFree1.1.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
2016	7zG.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe
5928	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 5424	1504	chrome.exe	87
PID 1504 wrote to memory of 5424	1504	chrome.exe	87
PID 1504 wrote to memory of 1232	1504	chrome.exe	88
PID 1504 wrote to memory of 1232	1504	chrome.exe	88
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 4560	1504	chrome.exe	89
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90
PID 1504 wrote to memory of 2512	1504	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/file/e2sDH6wVpXe
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaccbadcf8,0x7ffaccbadd04,0x7ffaccbadd10
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1984,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2040,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4260 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5208,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5860,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5496,i,12868044866515278161,11197426244252314730,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4152

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ElysiumExeFree\" -ad -an -ai#7zMap13837:90:7zEvent28654
1⤵
- Suspicious use of FindShellTrayWindow
PID:2016

C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe
"C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3016
- C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\WmiPrvSE.exe
  C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:388

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5928

C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe
"C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe
"C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
612c06b1b54e279091bacc7ea4a410f5

SHA1
871c08b1d166baaee6cc80910b9a3a6f0ef4ade7

SHA256
d63fa96c1120929dae6cccc86dce11dcd0c62c147d5e604f7935f55b1176d503

SHA512
e779923d763292169226a1a5d97493de54058c524a6127fe11ccd502cdc1573bdb0f9830b9cda22c8d117ab95267192ca3c211398ea311477848347dfc7ef2be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
98686fb6c51ab8c758486e8f57887d3b

SHA1
0a0b1c3a79fc3f7e263fa710fd30dd00f764379d

SHA256
9c3e839c33fa0e565f23eca72727257932d10309e83b484b7c9f4dbbaa47f0c9

SHA512
e5d2fc385f0b4675bc11fb219fb53efb43e92316a16688787def7282fc3f656fabafa2e21a126e07b461f452bd0845795fdf91a51f4d2a23c7c5f837c131ce5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
74cae3d044ab7d002e08ce3b8768da8b

SHA1
11a61b01a264a178ce2cafcd4585bf0ae6c2e0b2

SHA256
7f696b99b80ee609adea31a85852241f376722ed2a756526880c5e94944a525b

SHA512
9dcb21bf12e29e8f7a965892a008d9febed98b52537567eebbf9906d40a7b07810c9c5db51cd152e641c7289a2f8a0911bb51aca38e21cee2038362b9340dd61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
95ff6f28228f9314d3105599aa0a5c55

SHA1
f47657e5e5983be343837fc5c05a2599c1e0e2c9

SHA256
ba632e36b1085d771e8844432fe3cf64d8c5de20cfffcf194013b5ed5dcfcca9

SHA512
947d67d33be2935a357e4507576fe5ddfd1176779bb9a0f0ec9923d638ad9f07750463e8b60d215832082741fa2ac497b36a1a2163c03b123f03e06c23ed736f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e3fd86e36c1a664f36bf7640df438771

SHA1
6fea497fdc68f9bc451ca998954556a81aae7df4

SHA256
a7d51cd65c1cceaced71a9e666d18c1488a37ceaad0314eef6ff457823827e72

SHA512
5e64d365adff900c80f4ae74a512eae17bd618b1bfa5c7b137dbd905f0f5670a64143f3a88b386f57575f4d6bd210b12a8f899820756bc778cf63f80d4a8aea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
60a473342b6711f7448b689de94dbd93

SHA1
89745fbb1c7e663356f88120be98f60746f18693

SHA256
a88b4b7a6bacdb4b6cf9c33ccb5b0885843e5e72f003f6ff737011f9c4e39d3d

SHA512
b7e3ec447bd7faaa79a6ac6b183443c0e311df996d9a9c3674bb7dae7af2652b8a1ba72907eda9718636bcf31ca8e64e6e3bdf0c1ff7f1a53cef6122e5d69a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0a8548903dfec5a76d4b5257ed50b93f

SHA1
15b390e1f7242647472fd0f1aa9b75db6f6bd679

SHA256
7c483f6044b7abd3fde0f4e31ac9a67a39887dbb6793efc5712c4351db0a900e

SHA512
5e7b6f066f03aaad5c3b4be8c96e1e0c478d8a837ce81bdb2ec725a7da727d199ac94e25fb7592fe182689092a3b6c723050b4f582cd7465379adcecea2da7da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
051ecaf02a387bf223533b7ada269846

SHA1
36725753cc05363c52dce12f94544976316ed1e3

SHA256
ea818f801699e2aff0d0adecccbed2bceac0a2d9d039d2437f700f61ec21e4dd

SHA512
bc59fabd098243386b51489dd68d1d55b0198f71aeaae543b5f01dadf82dc787cf06862f9e0b3a68bc223be4a1cd94e168260bd196d286829f279e9cf4856212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b96c1ed7fa9b3fd5a5e5f2dc33660b85

SHA1
104296754b341f1846caf22480143b045963e29c

SHA256
9270ac2d24d4d5f1b88369d237c9a4f8c2eb0803c2bcf90fdc46cd4021c19857

SHA512
beff75280d3071b87d9d75a982c4454a263a79ad5b65764bd598fb60fe5d1834eedd3a40adf7fa9aa11d1a42cf13419ec6d7d967606abd721f8e8f4868d4d94d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
beb71674976a628b4329c60ca843d9e9

SHA1
b5e40260475fa6bc904538025a0152003b659503

SHA256
f3487dc85145cd0019fc8ef609a459c7518fcf5ed12a6c760bdef6ac71aaddbc

SHA512
f688e30080f48ec92e1a89ca8f735ba8823e3365d977360b7ad1ac88ec54a63b114a2054e16c427e7e75938eabcc0080a56eb7120e6ff7a87b630628f14cd010

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bb61.TMP

Filesize
48B

MD5
f2a441bad1f2b10f9fda9cbf8dabbece

SHA1
2be589f151c5eb341f63721fa5c85920e65d796b

SHA256
038e4f4bee9fd0227b3c930582ebf7213df073a011cdf66e20d0a62cb12f52bf

SHA512
42c3a04e21d755f0d73b52747cb81a2f2fb57b7e5bb120eeb9cf2aae13f41f6c1afe0fe93c6f9ee560105c7be3eecf09f5729d0ee76d2b74583fe4ba0de8f9f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
3f688a11d254235f64b34a5f6a43f71c

SHA1
5b1458fe587736b3c86bb853778b548acb79f4c2

SHA256
b9ff67890519710418417c963694c1d2b1cb845203bb735697e2897fceb6dfac

SHA512
eb9061e301a8c28a93c47be96ad10ea37f1d1e3b5e920084dff51fc3e24e45f408e0b020e3a7cbb696bffc2492ef8992d53d340019dd829cd66cc41a7e24f61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
0493139db7c07377b2aa82514d3df81b

SHA1
291f5ae00682546cb5905299d553573d3bda960b

SHA256
d0373ad886470324e9d7152515f409e3d9cd1a7079ffcd159393b8147246e718

SHA512
fa55528e7af2c120dcec6d85786d52549123fc1aa9ce715694e44cbc738226e2607b03b0c4cf65767488b488075c6d9f7b10eae54ed74fd7755cda51827c88e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
991d2ad8763a63d72bd37651f97c24e9

SHA1
8c95c85688b848652f93391772b499b2b3459239

SHA256
323d45d6b940db6df8939d6297eaff0b65a0554dd0bbcf1cdae10ac22f545e1d

SHA512
b9bb5de39767d055fb9d90cb12caa8d09041d0c45ed38188b92eb75c5369258fe068c3d956a6ff7c9ec439bcd9760618d9d1cd7d39454e62ad2c0a9159c82814

Download Submit
C:\Users\Admin\Downloads\ElysiumExeFree.rar.crdownload

Filesize
10.3MB

MD5
b9976332f4636c6a0f7671954a64a9d9

SHA1
71176b045adff9369310e41dbb05434805648802

SHA256
7220429bc576e494fa56ccac81c958b8eadbb174bb9bbe992c7b3949d764de32

SHA512
6e7cfa731d8c79d7c32984c85051d7346f034ad83779baf46cb1cab9d3a4f5ff61adab61cd5c3141f602174818f48d7ab39c0691b0fe421dd6bd0a8794b29d01

Download Submit
C:\Users\Admin\Downloads\ElysiumExeFree\ElysiumExeFree\ElysiumExeFree1.1.exe

Filesize
3.1MB

MD5
1e4e8c6d1bf62ff6b365e0cba9c4a6d1

SHA1
2acf897c8414528b0620707c8661d268af0d1222

SHA256
19f8b2f1c0fffe8f37dee7acb107554034f73af09de178fcee107a04cb6ea98e

SHA512
4f537099eacd68f3c825cfb5501f2082c3b43b7e3cdff9755765d9a3b9285cbfadd8374df79c78963404c7c51866eb324482cd0b32e965c121c3beb2736c935c

Download Submit
memory/208-259-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/208-257-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/388-254-0x0000000000E80000-0x00000000019FC000-memory.dmp

Filesize
11.5MB

Download
memory/388-230-0x0000000000E80000-0x00000000019FC000-memory.dmp

Filesize
11.5MB

Download
memory/388-255-0x0000000000E80000-0x00000000019FC000-memory.dmp

Filesize
11.5MB

Download
memory/3016-216-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/3016-232-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/4756-251-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/4756-253-0x0000000000020000-0x0000000000B9C000-memory.dmp

Filesize
11.5MB

Download
memory/5928-239-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-242-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-241-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-240-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-243-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-244-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-233-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-234-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-235-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download
memory/5928-245-0x000001AA87DC0000-0x000001AA87DC1000-memory.dmp

Filesize
4KB

Download