mercurialgrabber | 48cd44b7ab05263304534ff91c507d1151cc62087f0e56805b5d6d400f6ed7d3

Analysis

max time kernel
55s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImgLogger.exe
Size

45KB
MD5

37206d445dfcea8bf0e07f6dbcf421de
SHA1

a0fe6e2635f7e88255acc1bfde050ff1744ed220
SHA256

48cd44b7ab05263304534ff91c507d1151cc62087f0e56805b5d6d400f6ed7d3
SHA512

af2e37cf2c0aaa8f4444b9da41c07ce731a62a0dad56c202a0a2eb9f7128690538e3720d511963980dd574b57aa6c082d49d8f7ed802868125608a974e9596be
SSDEEP

768:rmtVdxCG5Q7YBNuZSLbLTjjKZKfgm3EhhSDW:cxJBFLbLTfF7EjS

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/1259467309756710993/xiTXl12FOdfO8JQ3DMnZ1_AGTHk4YoTVGukaIJ83I-lYVjcsqNcrtEPDqJ0Pc8vR7_mp

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ImgLogger.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions ImgLogger.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ImgLogger.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools ImgLogger.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ImgLogger.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ImgLogger.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
9 discord.com
10 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip4.seeip.org
5 ip4.seeip.org
6 ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	ImgLogger.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	ImgLogger.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ImgLogger.exe

flow	ioc
8	discord.com
9	discord.com
10	discord.com

flow	ioc
4	ip4.seeip.org
5	ip4.seeip.org
6	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ImgLogger.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ImgLogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ImgLogger.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

ImgLogger.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S ImgLogger.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	ImgLogger.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ImgLogger.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ImgLogger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ImgLogger.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchrome.exeImgLogger.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	ImgLogger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	ImgLogger.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	ImgLogger.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	ImgLogger.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ImgLogger.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ImgLogger.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ImgLogger.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

2784 EXCEL.EXE
3020 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2344 chrome.exe
2344 chrome.exe

pid	process
2784	EXCEL.EXE
3020	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ImgLogger.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2300	ImgLogger.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

2784 EXCEL.EXE
2784 EXCEL.EXE
2784 EXCEL.EXE
2784 EXCEL.EXE
2784 EXCEL.EXE
3020 EXCEL.EXE
3020 EXCEL.EXE
3020 EXCEL.EXE

pid	process
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
3020	EXCEL.EXE
3020	EXCEL.EXE
3020	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ImgLogger.exechrome.exe

description	pid	process	target process
PID 2300 wrote to memory of 2956	2300	ImgLogger.exe	WerFault.exe
PID 2300 wrote to memory of 2956	2300	ImgLogger.exe	WerFault.exe
PID 2300 wrote to memory of 2956	2300	ImgLogger.exe	WerFault.exe
PID 2344 wrote to memory of 316	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 316	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 316	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1012	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1972	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1972	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1972	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 780	2344	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ImgLogger.exe
"C:\Users\Admin\AppData\Local\Temp\ImgLogger.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2300 -s 1824
  2⤵
  PID:2956

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f39758,0x7fef6f39768,0x7fef6f39778
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:2
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1356 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1124 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3900 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1032 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3316 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2312 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1624 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1572 --field-trial-handle=1168,i,13501905841316281923,7617940731101166453,131072 /prefetch:8
  2⤵
  PID:1700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
227KB

MD5
e09df5a23acd241007ec35851474a7f9

SHA1
9802085247211e3c82c5e6fefc003e7c1f21227d

SHA256
846921a45a6d2203548059f9b22a5a5513105e43098da955bf402e681020bf56

SHA512
765b7cfa03aa7d750a18ad63c072c069329f4a7f7a594051c01700934497533ad07dc503c8b3892d5ac97f14b8b85a6f4868c7e5a1a4d2e40a7ae4f7514d1009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
19KB

MD5
c7444597254c3ab4b9a6aebf59420d6b

SHA1
af57edf5ad540ae22782b52fc0f71ee59ffeebc5

SHA256
fb8bdf02d52305589b64fdb41330d16b0730e28a61b6fccf7fce6f142792deaa

SHA512
f23810b709e61804ccb51ad153f220703a02e255ac7ce48cc108c809f84678d65bc22e87312d9b7b3598c30de79ef892ecf5bc301415f6ea795810f58a418e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
47KB

MD5
127b7a9f7009939d0ae5dd1a48386985

SHA1
f9e981f2fbc6df7e304803153fb6fe40f0dcb6ac

SHA256
9d8e3219c036313e8b27ecb7b91befc49de6a32352a5349656945a7525a89962

SHA512
b1a442d78f6adc7a67f8ee299d46817309798ff2a38a66af2ff03eaa276b3a7967fde34e801dc8488ed75b3110fd01b3a9763f792ce75e21fae190d4779c1287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf7856c7.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
c74be5c3cece6ce091fc87aa88d87bfb

SHA1
7994d2531abe2ab703af777e7983692aee2a9d70

SHA256
60ab302501166667f50b7981904f94f4c46dd7452c2b559a2a3586f18d2c6da1

SHA512
7e61b40d98ef4cfa73d6565666a925a8c53b77a342b2a364f92b2b3a3a23c40744fd32f3317e4e021fbff39b7af56762393dd52a7408639e67b909bf7de8bdee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
3a01dd1936b69069514903480f80c224

SHA1
249d4fa344ef9b916aa6d37f63e9b0e35515818a

SHA256
b16386af60bac6b242ae06769cfa28c9a525eb507b971b2f9b04c4ac30e48732

SHA512
740bd6b37ce254b697acb9c3d46a1be0ee94aa63dfc3f1d19f51ba3000ebca01efb2648e4174bbc9300ee9b53100c9e24ca8d5db26cf175a28f4725fa250cc53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
75d28369fd3778e2ed56ddf3089bd82e

SHA1
d51d278c9a56dcfd16ee54bf49e1ba34f362f7da

SHA256
8da15c5ed08fc170595ffb87d85835720180c9dc4f78ba15876b2d1ad3a59817

SHA512
f413e4f85ad7e779848c7c192d14146181122c3ebf9ffc367f7f6300ccc693c515b6141f77940a9b01307958ab972f4d3c97fe095771871e967c355112eb9c9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fafbaa397814f5700499e377294630c0

SHA1
efdc9d1d65a5256571816043433be61448691fad

SHA256
00db3da3a533431a7eeecfa9c2da63fe2f18936c912621a30ec63f43bb089d29

SHA512
998086cd7f28b8c1e80497a1053741377d0a82bb7e961c38fc052418e2b6ad4e7826a2d8dc0b7abd1457c8ec4119483d10afb55a72bc34008646d467117723b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2d749cd849c16f92597f83d88530192b

SHA1
129656a177855a83ec3d0335feb69a27ef938f37

SHA256
0e0c6994a7d8ee84b05569e40d5f9c9ea8473d5bee292dee180a04db23f63f4d

SHA512
a92dea4c189a7d191c8f35725b389c2143ed99a8c48d42c6f66df4d2ceb23b378fc82bd1533036cff5ce6d6c32d6411c24706c32040ec0f76893b762ebc358bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3cca6702-424c-4905-9ffa-772d4c12db2f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b50aec18-a4af-4ec7-b6d1-1b29add7a74d\index-dir\the-real-index

Filesize
504B

MD5
6af9e130ecd1a601dd63972023035240

SHA1
68ef7d880a22b280f6133651a988e8d5bc67608e

SHA256
4dd84dc77f52aa6d6f713240e4327cf156ac6eed9b88fdbd8b8b4f4c1b5962e9

SHA512
4289621c9b21eae1cf4ce5a8b51575a571347c20ea5eba72700b9da700240db102e02a8781c51340ee302a239ff7ecaae66ecb668d04e6233d934a24c2b9bb47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
72c1ef25c0c53d5cebd29b13fa7545b2

SHA1
cb41c6cc143c63ea93a760710c8a19f6cd1ea930

SHA256
295adae007e7c72695d68bfa7b130bf1b22cdcb8e2031d5b89fdcd76a8eb02b2

SHA512
e7b3481eb8bcbf97fa5bc79fb116d967f7ab8c1b0f562f501ebd93dc35dd46e8f22963198100e6e074a615124261c58c9b27cfdd6e29a1b4882aaf06c0320f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
809e8efe6b8a37ef4980878e1cb31784

SHA1
7298c0d4520fd2bd96d2df320643530060c240c8

SHA256
2d0258f16824600aff14ccd08a69884f851328e1ecb769d8a3b34163ba8f9b23

SHA512
36718fbdcb63477ff2013dde5bfea9905d1b5b4129d301979b35c0c5969c3ed3894b1a4e0b8e2de28b3a1310061fd05c532fd06a222091c8087747ea1cb40aca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
3ce3d672df32307b467ac02cb7bd4831

SHA1
7df18d90effed1670e604e636069fac92cd46816

SHA256
ba98ad272a1f1e7973458a4aa00bb8b72ce0ef67aa33313b5d40ca2504606295

SHA512
9a3196b0a4b4587995341dae3f88a52e4d3b56de111b36c87d1677928f88f419388e220122cbcd5c7da01680f144d8d2e4c5faffa8e440f67ef43bb84c380f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
1a55ba9daa9cca4521ff0f0bee9d2c5b

SHA1
ce03528793c4f2f625725a19ea0f2fc746943c65

SHA256
db9eb59ec9620b8f782e4a7ec64721c75b6079259b6f680ce31acc4374dd8ed6

SHA512
6c6538e59d5a210bddd317430502ad1b1ba672849358b12be9015fc6be067ce1a70a2aa0a2583770e48a02bf218cfa7333c25b8656cf3b3314e2f0f492d0843a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2344_1007548537\Shortcuts Menu Icons\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
382B

MD5
5c23e1c4135109942113d1570e501c32

SHA1
333a76608c733d56a5864b0493d50ec5dcce9811

SHA256
3544f0b136a1f7cdc4f3b59f905936966990f5299173f06c61a12d631989da6e

SHA512
fc16f42e03e7d90079972e44328cc84e1f21aa1e75334e112720d9310d0ba9562ed1804bf125013160d03490890ee9e9460db89528fe4ee46a811e939cb12e03

Download Submit
C:\Users\Admin\Desktop\CompleteClose.xlsx

Filesize
8KB

MD5
78186305cce59553d501912154807012

SHA1
115ba4baa86f22b5b20781779d5d026b5108cf26

SHA256
a89bf85bcf013287f63b6b37edb5dcc707c40c1fabfb81e09da0872b91ccdb07

SHA512
80d6344db753ddb2a2a7a8d95aca0e2e98fc02e3e76a274c53bdd6ec7baf139b5abc63d6d1e5fcf0402ebbb63a3676da00c7530afdf5835bbaf8223da00dd216

Download Submit
\??\pipe\crashpad_2344_ASKQCMWVVVPVZQVV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2300-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2300-15-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-1-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2784-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2784-27-0x0000000072C9D000-0x0000000072CA8000-memory.dmp

Filesize
44KB

Download
memory/2784-4-0x0000000072C9D000-0x0000000072CA8000-memory.dmp

Filesize
44KB

Download
memory/2784-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download