hawkeye | 86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b

Resubmissions

13-08-2024 05:13

240813-fwxkla1cmp 10

13-08-2024 04:01

240813-elmf7syblp 10

Analysis

max time kernel
52s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe
Size

192KB
MD5

91884f1ac121d9e5ded8bdef85da6052
SHA1

e92c5ef867200ce2afe6d2ef3d2515375c25a8f7
SHA256

86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b
SHA512

62c19263d2dcd265610957176bb0794e071837b6b1c2e6922afd29c097fcfe210657627739b3e3e1c8409b0a8afb6b647e6d246eb276c10e0d1531293551311d
SSDEEP

3072:gej6QTDgiEIDL5ntDnj/rlIudpB8gkgqXEoqGxT5AH:g8hvg8DL5ntb7hBkgXoZxT5K

Score

10^/10

hawkeye credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
78951asd

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 2 IoCs

Processes:

Windows Update.exe

description	ioc	Process
File created	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe
File opened for modification	C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe	Windows Update.exe

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid	Process
3000	Windows Update.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Update.exe

pid	Process
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe
3000	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Windows Update.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	3000	Windows Update.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid	Process
3000	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exechrome.exe

description	pid	Process	procid_target
PID 2244 wrote to memory of 3000	2244	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe	30
PID 2244 wrote to memory of 3000	2244	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe	30
PID 2244 wrote to memory of 3000	2244	91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2728	2852	chrome.exe	33
PID 2852 wrote to memory of 2728	2852	chrome.exe	33
PID 2852 wrote to memory of 2728	2852	chrome.exe	33
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2236	2852	chrome.exe	34
PID 2852 wrote to memory of 2148	2852	chrome.exe	35
PID 2852 wrote to memory of 2148	2852	chrome.exe	35
PID 2852 wrote to memory of 2148	2852	chrome.exe	35
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36
PID 2852 wrote to memory of 2408	2852	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91884f1ac121d9e5ded8bdef85da6052_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Windows Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2899758,0x7fef2899768,0x7fef2899778
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:2
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2764 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3856 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3604 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3832 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3132 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2628 --field-trial-handle=1388,i,8140543833822015601,16226382067643472794,131072 /prefetch:1
  2⤵
  PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
41d496075b67b3c9a3796433c9c79d82

SHA1
d193a19fb15f6726a1e85e0c440d00e48ed9442b

SHA256
c350a83c1bc271d4b21a18774fb47d97b54879b54c0df950a860a1aaa4f56452

SHA512
7ea92f212a1be891b1e9e678ebdc98776a7ead03605e05b260691e9afd0371a3d9faad31cecbd54eec9f1957afb42f8a58ae423eef8d31398390b94c7c788415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
30be04e117e20b6a6796e15f940fcae6

SHA1
6e9a2f954f41bcce652d99f9e176e18f62003b38

SHA256
e25587f8e04f565a58a1fa0b0c942e49ac5d35be748ae0de193be9775f68a4ce

SHA512
bfea844a3c14fecd7f846316d7a86300718801cec52eed4c237748f5e156038f97aa7db76ff7a17b78e046ec7eb52616d2273d0cc34976cc21ad060a4f862c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7dc00bbddd8dac0cb53c3ca8334b96bb

SHA1
e258620758faf0041ebd334494e9fcff7dfb5f42

SHA256
83af9df8e5bca46b8337313565c947f7e96424046f17bd1a930c87cc532043d6

SHA512
218bbdc9fdd5f18f9881557b134f810fb1b18e27c5a7feb4b22151049ea6d3699bf13b06ef50956312759f7af5e61d45b38e0f3e4249e0df50ae7ca4c9f4b0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7dc498fcb3069855fa78c5d058a38dad

SHA1
1b5372a98d53bf080b622a0b12bb87c1011e886f

SHA256
36e9631de850e8d192afddddd9823d6469fcaa8a2f1aaf6f57e9f6aecbc90b17

SHA512
88b7f7f2daad9604fbcea93e1b7bc53fc68be89e5582eac579ed90e165fb83ebb4e0ecde4d8ecfc919bd8e40b58ce97112d88152cc35fb7c97b99fbab0d151ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5c58f7793b65261801b9516b1e27fabf

SHA1
b388bc9d3cacaa178a8830ec19c6e68425fba2ed

SHA256
9b97432c585fd991d47d6133badadffb678134b813f2c93f461190cc33e8c9df

SHA512
9938bbb0f83d05a00e5debbd69efe15a8b2d0d37144262eaa0e79a0963017133a7f2354faa4fca7b4a4db32d3e113e7b3fb5a396f92cfe197de2f34476ef00cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
dbe78d818e70435eb296fc8c6a0a5f16

SHA1
7864eec3d0ae7a0b43e15f3dfad42f8076216c79

SHA256
b59b248df07af970d7ebe46b44e720c82946aac01b3ed43202bab2818f80e01c

SHA512
f7b9c815e7518d47644a48e6bd18abdd329e52ce8b19e7669763ca1d200909bc45e30ae18b4b5d2dc4785aa84c26d303e83c0afa98cda963891f41741ad58f90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
317KB

MD5
70bf2dc5fe87060b5e8415cb6c227dea

SHA1
fac46df06dfa508393b91d2f0c5d355899f97dc2

SHA256
0b2a7faf4e0550d666c2edf614a04292c1d435c293c76d5cea71545c640d7850

SHA512
6554b179ae70bce8c1a966188a360f13a86a527fdfd5010f6dd0d8014d662c6355326858a23e089719f046f0d38582ce7a79ab74e1bcda6307ebdc4ca8fe9eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
162KB

MD5
28fe44987708cb95beaf86cff951a90d

SHA1
4b6397edb6db8f73e856ecf0a739b5e396f7f5b0

SHA256
da9b7f448dfec30aa5d976f3983a3723f14ef0410ecdca80bbbbde47c207fdd2

SHA512
35c3a8a1f9b945fea3e62f4594fb70e3286a908bbd632a65f1fe701244703acf53380a5ede94e6a3a47b0253dd18726374aa3c0946b6f5e46f24ddd0221751fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
318KB

MD5
abf6007644d4890a3cfcd00b180dff12

SHA1
961154c73b66638b5ac661b4da397ca307f03791

SHA256
f2609016b3b25cefb75aef2be0db8c5a14c584a20d9e27728270cdd21002b255

SHA512
e9a8233b079fb1b30b2a8077263859dbda82da556bbfe4e20b43452c9a7754fc60e5ae0cf70a984a013f5148d9b3a6eb2b31c67d8e0f356ef127541831082b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
360KB

MD5
8db265198eff806d20f04dc714530125

SHA1
80cd164aa94afe7df3e9eb59bc7e78e5220f13c8

SHA256
50cb82a87123ed8d238f3d363a7526d0eae8b670d8e462d999248fa9c76a6e6a

SHA512
7450fe02ab0ba4d74c3c023d3f10ae4e5ba99aac96df3ed3a2ef9efcc2fce605bf1734224810104b12e2958c77d1100a197fe8ca4c968f3d81e018860854e103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
317KB

MD5
065180f6d1de4e437aad537823688391

SHA1
ac05c130f46352a6c580f3ca53666ebafc1753de

SHA256
a38ffd9dbfe550c85396713796ddde396979883598d40e699fc6bee5020f9e29

SHA512
5f1fe9c44b1cd0f84a05b7045935602e8109c192aa5e747e0fb170b5856bb6e422edfe0a7f558ea16177f4b7a6114c46a5808c1daf134dd4e7b9674a42f97145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab175A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
007f02e79bb52ccf5f6fdf35a0daeeb3

SHA1
ab4948bf44ebbe20a5b6b1aceaec10e770b4b75a

SHA256
90c00b8890e07b8c0018615d071054177566933769fcebb2c267870f710cc6c1

SHA512
e666780b772935b54a6707eede2d97f6008d2653c1c105e654ae268417679108c02b755354577bab9b40377fd5e61af25796ab0f81cafd2af5556bb256d28f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar177C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
192KB

MD5
91884f1ac121d9e5ded8bdef85da6052

SHA1
e92c5ef867200ce2afe6d2ef3d2515375c25a8f7

SHA256
86a825dc2b72314a5db4885e495db0ed61044e3ed8e00cbe7dc05c706b66be5b

SHA512
62c19263d2dcd265610957176bb0794e071837b6b1c2e6922afd29c097fcfe210657627739b3e3e1c8409b0a8afb6b647e6d246eb276c10e0d1531293551311d

Download Submit
\??\pipe\crashpad_2852_UUMXWRSYEZRGWPAU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2244-0-0x000007FEF552E000-0x000007FEF552F000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-8-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-4-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-15-0x0000000000C50000-0x0000000000C72000-memory.dmp

Filesize
136KB

Download
memory/3000-124-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-111-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-110-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-105-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-104-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-18-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-17-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-16-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-10-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-9-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download