hawkeye | 1c742b10c45081fb1d7f64ee7165b66dfa82f05bb5233f5567512043031e2633

Analysis

max time kernel
43s
max time network
48s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
Size

1.3MB
MD5

ff59b59d6fb138bd3a588d89ea0fa1d7
SHA1

fad22ded5983e8d5a9bffa398c3281670e496f46
SHA256

8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
SHA512

7c3017e263d812bac1ad57bf4ed4371fe7414cbde8af077e507811a9ce538d1fdbbb5d396f355792dae67cdf9c25e3b0128a036816d74a48ad68c62e5109054e
SSDEEP

24576:x6qt46zuDJ+ssHguZbtg2aLJ5eKSKmR9Fmt5J2NY9/:xZqARsV5VmFmzJ2M/

Score

10^/10

hawkeye agilenet collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/3320-16-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2360-48-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2360-49-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2360-51-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/3320-16-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/3852-76-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/3852-77-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/3852-90-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3320-16-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2360-48-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2360-49-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2360-51-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/3852-76-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/3852-77-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/3852-90-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid	Process
3320	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2316-8-0x0000000006730000-0x0000000006758000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	whatismyipaddress.com
9	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exeInstallUtil.exe

description	pid	Process	procid_target
PID 2316 set thread context of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 3320 set thread context of 2360	3320	InstallUtil.exe	85
PID 3320 set thread context of 3852	3320	InstallUtil.exe	88

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586475172714900"	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exechrome.exevbc.exeInstallUtil.exe

pid	Process
2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
3076	chrome.exe
3076	chrome.exe
3852	vbc.exe
3852	vbc.exe
3320	InstallUtil.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exeInstallUtil.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
Token: SeDebugPrivilege	3320	InstallUtil.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid	Process
3320	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exechrome.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 2316 wrote to memory of 3320	2316	ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe	71
PID 3076 wrote to memory of 168	3076	chrome.exe	74
PID 3076 wrote to memory of 168	3076	chrome.exe	74
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 224	3076	chrome.exe	76
PID 3076 wrote to memory of 5084	3076	chrome.exe	77
PID 3076 wrote to memory of 5084	3076	chrome.exe	77
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78
PID 3076 wrote to memory of 520	3076	chrome.exe	78

C:\Users\Admin\AppData\Local\Temp\ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff59b59d6fb138bd3a588d89ea0fa1d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff907449758,0x7ff907449768,0x7ff907449778
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3636 --field-trial-handle=1760,i,13690502912961183146,17054828663643914903,131072 /prefetch:1
  2⤵
  PID:4112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
72eeac7196c0c5dc8cb137ac811a2b60

SHA1
fb7e12e93163b8fe7ee261c2b3ce26e1cb692ec2

SHA256
996e17e212043f94c87a953d86e5a357f5d6b392fbdfc98dc759e278f765a24c

SHA512
8d35c5d40ee0473f02a8e729d5b8ad8146c14dcaef61a896cafbb05e6719642f742887ca646d4bbed61ecfccf84acef085fa6a9c8edf4cc33cc03ab3385f5309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b9705a8de7c05f0a24eb6a616d095348

SHA1
c3077a4d1b710c2199a914746238ca9d5ddb7ba3

SHA256
a982f9188c8754dfe39891a2dd94cfebceef964e5f68d0feccf7c792ed1686f9

SHA512
2ffaa4d0bb5a92bb882f892d8941f53ed46d443a89e7cb963eba282864618b193c00049a05532cb7902df96ef97b3dc203b06b3ce9976127a3458d93cb07f1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
14b7cefbd7bfd85d07e4ab15a5395748

SHA1
b75a145f88570499749723053fd00c1d1b8cf58b

SHA256
69960cb75c0ea5b13d30e901466f753a32f26a1154db03bcdf31dce2c368a2f3

SHA512
d5935774c047f45c527dd37f488034a4987824a43f80a4e8f51991d9e9f18b3d4feead6f4118df8b1ce2e4dd5136eee2dbe92af7172d20d7ad7e47a1a2f28e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d5c5cf8ce97b16313809a4d321caf27a

SHA1
1c80eafd3d747fbe6405580596ac4d8fa93859df

SHA256
8c31a30ffc2957a5ac87aed0c275fa442603887d92b28043ac3c4ab96f278170

SHA512
ed43ec0c3816c4db4bb821138aafb53d5128d85823e53ebd0833d27db71f06287cdbf19a20ab6036f49d6dbceeb9fda37d01ee8052f78a8080c9cdbae109ee95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d56214db6f07a9dfd6754f3394ae10f2

SHA1
c29acdb86a3c1db98dc899db1f4630ddd7a35bca

SHA256
d44a1c7c0a4f5a52999ca163a5365d91710368df0b32ebf7530c43f68d339bd4

SHA512
365c344d360af3bd34d240b51d2f74c16671c72f2257740563c91e7b8c7f9d8951b7a0d35049f17339f987428dd816912822de9762a67847224540932b0de7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1d51e5688807e0c096c09ea7aa837d06

SHA1
ef74aedc5181c9214c444b66dcef2468d8266607

SHA256
02759ea123385a6b5371d91541529b941dbf2d996becb71575b744cbf0efa11b

SHA512
f2be5b3eecc6b0601046fff10168a8ed32e948cd6875a21c636023532567d3540ea889ebd92e952f83d975959bc6411c2b4ac7e6075557f9ce930c546d44f2f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
477d6d6bbf03d5a7c41f7301cd12d0a9

SHA1
6cefa3fe210b39b1f0fc20c0d73a56d55ac335b8

SHA256
21a0c46eee543d9638973c27566590130bc4b74b7c25cbc9849349be21865641

SHA512
6dcbdcf1aebbff4ac41453a42051015bd6fb798bbc861a19f2d45462889c072296e0b176ffcdf55d0ebabe055f7329474fa75b6c45428664720e683eb4db8053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c25dcc532a720828c2970faa3d16bd1

SHA1
61e434c91da70426de765356b643fb519e159dc4

SHA256
6c25c3cda1a97ac06eddba3a3bc2ea2595ebe58858d44a85f48836c526311de5

SHA512
8be45dccc491bc3c0584403e3851df727f2e7753c84152405e2c0a776d173bbae3e755c89b815553c541f6b09846284d6e13a492f73d1185cbe40b63c824aae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
8fe00f28e5c43dec5d052c53128cc4ff

SHA1
b1535f3320b41c6d3ebe7a01d801a10ff5b33268

SHA256
53b64e02f71db75692ce321e1200054245d6227e0aa8c66563dc43f1dd396794

SHA512
e06182971568ec16dfd8305e29c3d6051b15b6d5fbf33cfa8185a033472c51e0c52b7b81cca75f68caec5db0328ea41ab2fea4ada282f1f56cf715894a659908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
28affdc5f1dca3bfd5d818d9a5c1489c

SHA1
35ae7f549c0b129fb4f723064c83b707c65a5b9c

SHA256
9404770bc5baf0ba67e3243db7ccc83fa39b9088dd74dbe1c1b7cd682b2f7f77

SHA512
990ad65b2024cd44df6ba0c723efe460f7a3e71050f034b634419eaed733663f2f7de779747a57d8f8a93e4997d68e8cb31229ba307af7e584bd065719c0c65a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/2316-7-0x00000000066A0000-0x00000000066B2000-memory.dmp

Filesize
72KB

Download
memory/2316-4-0x00000000052F0000-0x0000000005640000-memory.dmp

Filesize
3.3MB

Download
memory/2316-13-0x0000000007530000-0x0000000007544000-memory.dmp

Filesize
80KB

Download
memory/2316-11-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download
memory/2316-10-0x00000000067A0000-0x00000000067C2000-memory.dmp

Filesize
136KB

Download
memory/2316-9-0x00000000067D0000-0x0000000006836000-memory.dmp

Filesize
408KB

Download
memory/2316-8-0x0000000006730000-0x0000000006758000-memory.dmp

Filesize
160KB

Download
memory/2316-0-0x0000000000810000-0x000000000095A000-memory.dmp

Filesize
1.3MB

Download
memory/2316-1-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-2-0x00000000056B0000-0x0000000005BAE000-memory.dmp

Filesize
5.0MB

Download
memory/2316-75-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-6-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download
memory/2316-5-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

Filesize
624KB

Download
memory/2316-14-0x0000000009B30000-0x0000000009B36000-memory.dmp

Filesize
24KB

Download
memory/2316-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/2360-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-48-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3320-47-0x0000000006F80000-0x0000000006F88000-memory.dmp

Filesize
32KB

Download
memory/3320-111-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/3320-112-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/3320-23-0x0000000005A20000-0x0000000005A76000-memory.dmp

Filesize
344KB

Download
memory/3320-22-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/3320-21-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/3320-20-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/3320-16-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3852-90-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3852-77-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3852-76-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download