snakekeylogger | 9633897157818f56c91c4300139857c51a20ee4aabb79ec3dc828d7ab84b99c2

Analysis

max time kernel
140s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-09-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shipping Documents_pdf.exe
Size

1.3MB
MD5

52d5a83500d97289b521d9198e2fc7b1
SHA1

ff54ced5e26f13b4ccf460a7374161de6457f7dd
SHA256

0cc5b183c0c6db7ef329d897da4bcbdfdd8833131e486f7f81636789d6f8d63b
SHA512

95dab98bb8e8599ad3d2434ba6d5a1c1591410a603d64d1e2431b08f74df003b665aeb1bf89cf0b3a0a3da136a65cdef97e18f6992688ed6409fa7658e1b6abe
SSDEEP

24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aM1B6f5B5hmg9LWLahN0IW:BTvC/MTQYxsWR7aWB6BrhmJ

Score

10^/10

snakekeylogger collection credential_access discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.al-subai.com
Port:
587
Username:
[email protected]
Password:
A_Sadek1962
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1760-3-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 1760	4676	Shipping Documents_pdf.exe	81

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3876	4676	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping Documents_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4676	Shipping Documents_pdf.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133709609504240993"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{9AA84418-ECDC-4279-A0BF-2F6877C9C771}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1760	RegSvcs.exe
1760	RegSvcs.exe
3164	chrome.exe
3164	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4676	Shipping Documents_pdf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	RegSvcs.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4676	Shipping Documents_pdf.exe
4676	Shipping Documents_pdf.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4676	Shipping Documents_pdf.exe
4676	Shipping Documents_pdf.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1760	4676	Shipping Documents_pdf.exe	81
PID 4676 wrote to memory of 1760	4676	Shipping Documents_pdf.exe	81
PID 4676 wrote to memory of 1760	4676	Shipping Documents_pdf.exe	81
PID 4676 wrote to memory of 1760	4676	Shipping Documents_pdf.exe	81
PID 3164 wrote to memory of 1164	3164	chrome.exe	89
PID 3164 wrote to memory of 1164	3164	chrome.exe	89
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4948	3164	chrome.exe	90
PID 3164 wrote to memory of 4796	3164	chrome.exe	91
PID 3164 wrote to memory of 4796	3164	chrome.exe	91
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92
PID 3164 wrote to memory of 3472	3164	chrome.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Documents_pdf.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 736
  2⤵
  - Program crash
  PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4676 -ip 4676
1⤵
PID:5104

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95979cc40,0x7ff95979cc4c,0x7ff95979cc58
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3604,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4996,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3584,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3420,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5312,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,11149546324758359095,9522036426759007466,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  - Modifies registry class
  PID:736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9c84ddec4d8406e930aa2754725358bf

SHA1
9d8998abac57a9719e9e5dfcf4518b9b560be872

SHA256
ff02fc2fad028a74f410903805dbefbe0960553825672bb21eaecad2c55fdb45

SHA512
b54573a6a932d2157f08a9f3b8430b2bc82aa588997b3b601d34f152464e13dab98986fbf5bad7f367fc744de9a9ff1083eb099c0a1e4b8613cd876262c8b6bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
b9f1898faf46b37c7dc50dde366da050

SHA1
024807532e720a1ad3345ad3d6af67c760b24b6e

SHA256
2abc5d1f4368b05818e9c942808c5341a14f2c750d2578ead1e5296f9ef395e4

SHA512
5b101e107085971e54c14c23f9f1f08fead1aad0d33946dd85808c7dca2098425ef415ff4f1d3f4ee4496b6904b046c251fa34b3b2a928de23d9a804b31c6420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
cd72117871767f1ec8ad7a4cb6805b09

SHA1
7ec8c78a2d5cee686fa8c5e45554cf1ac35e3b94

SHA256
815f6e615f28eeb5fcf4cb1201ee132371f502dc8dc9ce4c01d5fb3ff04d410c

SHA512
513c2cf53cfd8f94e183421a12aafc9e9916774aa26911e3c6cf1670d998cc5504a71c76138c1d72ba8191d6b77e00fa9600242562fbfef42d02457c68d02754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
455093eaa5f0e07f31ea0f180d3a01eb

SHA1
679af85f2d3ab1180456fdee1a94482e2bdb814c

SHA256
4ac139900259c03f7fcc301d77ed251a5db2563c76eeb458ed5a768a311a9c42

SHA512
81686476bdbd896ab9c4e7460a60f298a31aad2b2797cf56b5a3f8b82c5b71fb6bf6d612b37d286a035bbb8a8d195938437c4e8be52f0864d52c1a7e5efb8626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ad18cc660c4259f852a9fbc562bbaf23

SHA1
bde71f13790b4754adc9bdb4361239a17cbffa0f

SHA256
0041950fc0fe3feb8666c58e388f42c089937a2b73dd74f97f1dc3bc0528d48d

SHA512
9f51e8b4652b6cb8a53c88f81a98ecf086be9b9276f5bed1804050c9cac0a6fea1f0e34d0a973939daa112d10294b7c46e3133d86467afcebc01f18550822a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
b3c7aa59c1bd47250dbe272c1d077041

SHA1
2a5a7bef10db4fba908c48bd7b4c2d34879cd1a8

SHA256
1a219152bec329aa8c0f4f18da96ce8c581841281be633d553ccb29034b71eb4

SHA512
d9c64b705332e8db4b492438bf41da124599c8f9c2173e36849856074fcdcda0af8c7bf826a7b0f9e5ee0bad5eba1da703cd1726a953ec29ad5aafde016d066e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
3be5ccf2a45eef47125d372bc5ee8880

SHA1
ad2c55ce3f0b38cf4751d2881967319c34629d20

SHA256
b26aed2a038babb149201b7925e5c59bee8daff2da0cd27a34bf6421d33744b0

SHA512
d47c5759c7ebb21f1701e7475aa8751f4ddaac9b658aac6373c474f70cb184c2ad70000f2a49a3bea6ad598a4cb78e1b1d13da72277e858ad26546c70b58d797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
40981e6b1eaed80eaab194cff64bc7f6

SHA1
2a9be014d2aa2a169a96bb1ab2c1cf4bc19cd778

SHA256
a2d6adf8a9b704a923b5231d99dd21fe2d703204a5d96a8976c7a9e843e7b817

SHA512
1c0e8961915cde671ece4570246fbc21e029bd4c640734919568d84d88473a64df3beae6d073479876e3ff793ad785cf086482f7c161702828cce52b736a0d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\bc4a52f9-a05d-4487-a070-4ea3c980d327.tmp

Filesize
2KB

MD5
5a0b91a969fb772ae74fe59537b78b52

SHA1
598c6b922fa39806962f8e6f59f7d84a957eec07

SHA256
c8c78652e2942b986cfc68c0a5f2194871edbb198323a4d898f67b63da729184

SHA512
8b9c1469a94fa03a30ced28a936e46a3b55a2894e3b5e8be7eae7e540128d4df24ceadcbe26697445ac48521af621403db176c9f8eac9155ab4190c702662ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41f016e301a52b4c48b80e485cb4e34f

SHA1
2d28d50d1b5bed03887382d5dc41c5c599e88bcf

SHA256
2b3b3be6892a7ea6bb36b5a4b4779cd3e104e8b276ea013ffed860f9fa0582be

SHA512
69cc75376378082e57f8e72267cff5df019ecc208fc422f13d1e45b0b1021c297da079ce3cf53f184c23ef2ed764bc291acd2263f5ba9a4d2351f3249bf661aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2003402e09de38a7d82240bbb08e15cb

SHA1
20bd5a8881f8f17754bda79c18e47da5b894afd6

SHA256
cbbb7515860de08ef605b15a0bad74e0b64191c761622694613833a47df646ec

SHA512
1123b97c37582d3c4cd584ad969d04950d31e1848261573d074118bbbaa72dd63f99fb277fc693d88ea1243f2b0c70c74d59a984162e97d5e7f3fbee1b3cb291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e447a2ff32bd2f6b90926e59dad54fc6

SHA1
a38bd054ecdc6da6f4585fdb8c0f36c6e8ab0b3d

SHA256
82dc34d4fb3168f2c5fa9b767d8bbf43e3e8343a16c2be150fbd4ee3f73d3a2c

SHA512
213d92451b6418a72f558531021d8061b9f505dbf5868675010eb2831258240dd264f27a2d7261a45d8b0899f66f59f749465e35cf301d9bfe6b8b8ad54bd80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df27e58c96e5662e634328b8e655daf5

SHA1
b61fee4fd4c51c478e6ecbeb72ec24e17126954f

SHA256
cda38101e57e2ac62e5704c2a5f617169e838a3d1007a5fcb2e7ffe07740e7a1

SHA512
ed92ab42ffc44488dc504f3820c53dc2bbcd15005b4c6639c0af378c919cfee72193067da5f325aa072b4f796211e3866f9f9d743a94b9fd818348a60a99ccf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0d24c7164b848d0f65cdbadf74db214

SHA1
9777aa5db384db7577623caa5b1106b685574738

SHA256
ce861447ed658a3f13260c2895bf3d5d37c02bc6cc7c238011441092174eb780

SHA512
bfee425c7e274a240590a0b4b185b5a1cc8509245716d08bae2d80fb1e1325a64ace03c15c13a0dd2a73375046e73d765797f22541acd2dc027ae17d267db8dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8b4cfa8a4afa0e3a293812f99b0e99fa

SHA1
202d2a647557bae2f28620353f10af38cdf1575e

SHA256
c4a50a6f01c2a71dd5d46df2e5bcc02f4abde6eab47008d3a564e6674829f643

SHA512
53731f2b918d44e0d6871bc0ec32d91339aff878747bf366857570d3fd1643d66c7cabeea9dca2e2e829182704ad567870515291dd55dcfb5f5c4ee8556cd2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
ad178ac1951fc4fbefbaf0a51add96e6

SHA1
b6302668c9fde1b38141d14d8985b8bb7ffb63d3

SHA256
a5be6fabe391c05c1350a30423b12b36eac32affeeaa8c7981f118f4b6de485b

SHA512
64cf1e2a3690ac4041dc66a0f20ea95fd7bfa54043f802699ac3c0df85337d62c28890839f0011045dbca0826d6927d09cd3926de5599f8c026d398704cdce5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
fa722e16a032e36ab86ec871afbf70d4

SHA1
ccef3c348d99e539869bf76717159478f3d0bad2

SHA256
a648c76a04c6ea70861e21ebd5cb256d5e9f94c0ecab7ba757356ee1e2988854

SHA512
2f16532a60c9f72b42c43d9a591d5e8912cd98931cabb33ccec0e1145f7d306be1dac0ceb35fb171e5eb80266678cb438536395de9c4c6902753034d40899d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
4aefd44b9085cf056af6bd32eac69be0

SHA1
5a1adde352dd835eaec4f717d67b655a2abad3bf

SHA256
a5d27fe977174790b49bc87be1c30a69609a1fad6e2afb13f912e589026d276f

SHA512
551d824741afb18f24e02677436be2f8d9e6946ffa1d7cf2872e617c99add303a53bebea05a09b054888f77bf0675931422ae272329a1e30a000e66b8b1e8de8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9c91767471b511abadec42d11a5a444b

SHA1
179d2b620009e9f3054a0a0b0ccee9644fef47a0

SHA256
14317a98d730120e2e000ae0191c9521ed8a47e41b5b3d49c3da492b3ec93f6a

SHA512
9f19d59f69cb92c693aa90fb4199c4b96d06d7e9a49423df7845ce29e1a7d7135382a8750d01660b6d71f28f838685b05600b92eac0e4ff3130dfc02714b882c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
memory/1760-9-0x0000000006A30000-0x0000000006BF2000-memory.dmp

Filesize
1.8MB

Download
memory/1760-11-0x00000000068C0000-0x00000000068CA000-memory.dmp

Filesize
40KB

Download
memory/1760-10-0x0000000006900000-0x0000000006992000-memory.dmp

Filesize
584KB

Download
memory/1760-8-0x0000000006810000-0x0000000006860000-memory.dmp

Filesize
320KB

Download
memory/1760-7-0x0000000073940000-0x00000000740F1000-memory.dmp

Filesize
7.7MB

Download
memory/1760-6-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/1760-5-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/1760-4-0x000000007394E000-0x000000007394F000-memory.dmp

Filesize
4KB

Download
memory/1760-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1760-12-0x000000007394E000-0x000000007394F000-memory.dmp

Filesize
4KB

Download
memory/1760-13-0x0000000073940000-0x00000000740F1000-memory.dmp

Filesize
7.7MB

Download
memory/4676-2-0x0000000001210000-0x0000000001610000-memory.dmp

Filesize
4.0MB

Download