stormkitty | 61f80d4e1cab8965a4b8e2ff94f9259a34052b9bb587fc790ff7c72a7e0cb88b

Analysis

max time kernel
102s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe
Size

5.9MB
MD5

3e9c8110f16f5cd05d10145e285431a6
SHA1

e6bd5165ecb226a15d7b9d94294f48a4c763f02e
SHA256

61f80d4e1cab8965a4b8e2ff94f9259a34052b9bb587fc790ff7c72a7e0cb88b
SHA512

f915c2da18215d2653437d41ee894080d99d8a59e5b3b8623354b57bc73f41f38d3ff0b6a7069c510ef6bb1375934d58e06af190d410c6366d8030bc6d6d8ce7
SSDEEP

98304:jr1sXcfq52vHkhnpT7x/1qFI8zThj941RsKRABzueL:SXcfq52vEhnNthwdx41RI

Score

10^/10

stormkitty collection credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2316-2-0x0000000000400000-0x0000000000444000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4304 created 3516	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	56

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3820	chrome.exe
3644	chrome.exe
4904	chrome.exe
1668	chrome.exe
1444	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
780	netsh.exe
1812	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe
4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
2316	RegAsm.exe
3820	chrome.exe
3820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	RegAsm.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 4304 wrote to memory of 2316	4304	2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe	90
PID 2316 wrote to memory of 1812	2316	RegAsm.exe	94
PID 2316 wrote to memory of 1812	2316	RegAsm.exe	94
PID 2316 wrote to memory of 1812	2316	RegAsm.exe	94
PID 1812 wrote to memory of 684	1812	cmd.exe	96
PID 1812 wrote to memory of 684	1812	cmd.exe	96
PID 1812 wrote to memory of 684	1812	cmd.exe	96
PID 1812 wrote to memory of 780	1812	cmd.exe	97
PID 1812 wrote to memory of 780	1812	cmd.exe	97
PID 1812 wrote to memory of 780	1812	cmd.exe	97
PID 1812 wrote to memory of 4624	1812	cmd.exe	98
PID 1812 wrote to memory of 4624	1812	cmd.exe	98
PID 1812 wrote to memory of 4624	1812	cmd.exe	98
PID 2316 wrote to memory of 4776	2316	RegAsm.exe	100
PID 2316 wrote to memory of 4776	2316	RegAsm.exe	100
PID 2316 wrote to memory of 4776	2316	RegAsm.exe	100
PID 4776 wrote to memory of 3644	4776	cmd.exe	102
PID 4776 wrote to memory of 3644	4776	cmd.exe	102
PID 4776 wrote to memory of 3644	4776	cmd.exe	102
PID 4776 wrote to memory of 1120	4776	cmd.exe	103
PID 4776 wrote to memory of 1120	4776	cmd.exe	103
PID 4776 wrote to memory of 1120	4776	cmd.exe	103
PID 2316 wrote to memory of 3820	2316	RegAsm.exe	110
PID 2316 wrote to memory of 3820	2316	RegAsm.exe	110
PID 3820 wrote to memory of 4896	3820	chrome.exe	111
PID 3820 wrote to memory of 4896	3820	chrome.exe	111
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 1896	3820	chrome.exe	112
PID 3820 wrote to memory of 824	3820	chrome.exe	113

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_3e9c8110f16f5cd05d10145e285431a6_frostygoop_ghostlocker_sliver.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:780
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82b2bdcf8,0x7ff82b2bdd04,0x7ff82b2bdd10
      4⤵
      PID:4896
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2032,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:1896
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2272,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2276 /prefetch:3
      4⤵
      PID:824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2556 /prefetch:8
      4⤵
      PID:2876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4356,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4388 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3956,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1444
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4900,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4936 /prefetch:8
      4⤵
      PID:4116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5052,i,11201333944872534112,7012394286336484134,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5048 /prefetch:8
      4⤵
      PID:684

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
597dda2aa8e4ed574a8dfc4ead89d7e3

SHA1
ed4574b02722cf38e4a8ece41ae1408c2476982e

SHA256
b47e1cf0d34cf8fb050454b1e6a9ed61e31b4c28e09317ead40aa1ee0ed4122d

SHA512
ab6d065be009bf6d985e0c0b7a951448e8e8470d9a5c51302d50999bd4617ed3b1718eac90f62393dc9b0d60771e9cdacdf7712d295e57c09e2c4bbc2676360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
4KB

MD5
7219757fb42279aaaf9ee223c71871ae

SHA1
a4cacd87e9e2f276a7f9907714ece663845c5419

SHA256
cd9cd28eb03d66befb63ba9c49b7bad89dda84078faeb62b690706c488a3d182

SHA512
81fb6aad6d6651c877d12d589f731bff85dd5bf1854052175544f6670384b17f2b15904fca2259bbd480fd41241f42942b2bd40ea92cb37b371f3fc2b54aecc1

Download Submit
memory/2316-3-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/2316-6-0x0000000006500000-0x0000000006566000-memory.dmp

Filesize
408KB

Download
memory/2316-7-0x0000000006710000-0x00000000067A2000-memory.dmp

Filesize
584KB

Download
memory/2316-102-0x0000000007160000-0x0000000007704000-memory.dmp

Filesize
5.6MB

Download
memory/2316-5-0x0000000005C20000-0x000000000614C000-memory.dmp

Filesize
5.2MB

Download
memory/2316-4-0x0000000004F20000-0x00000000050E2000-memory.dmp

Filesize
1.8MB

Download
memory/2316-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-1-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/2316-210-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download