d0127c9658a5e6599a876f942a8d9eb46771f8f504c1eb4d3d4dd90b0e917574

Analysis

max time kernel
123s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pic8.exe
Size

1.2MB
MD5

2641c36c0e8205672c3b20a4bb79e802
SHA1

8a8c7312e275ea2ffb9b73a46a057fa31669c371
SHA256

5d5be2d807ae58e049ea38dc8fa0d084d63d3acedb1bfe47a0befcc6e14c95e3
SHA512

b3fecd5958ed1960a885f285d63aff2593bec3da54192e2a3674ec843132da98419f1cc414532a61d8e91e43ba89e13a658c239f7bcfd0694ab33ad8c66b2399
SSDEEP

24576:4kazQhNR3fNR84iv88LT6T6h0lhSMXlRg2r:LaMhNR1m4ivLv6TXhJr

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	pic8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateBroker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4032	cmd.exe
4864	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735748195981577"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4864	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3308	pic8.exe
3308	pic8.exe
4044	chrome.exe
4044	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	pic8.exe
Token: SeImpersonatePrivilege	3308	pic8.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe
Token: SeShutdownPrivilege	4044	chrome.exe
Token: SeCreatePagefilePrivilege	4044	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe
4044	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4032	3308	pic8.exe	97
PID 3308 wrote to memory of 4032	3308	pic8.exe	97
PID 4032 wrote to memory of 4864	4032	cmd.exe	99
PID 4032 wrote to memory of 4864	4032	cmd.exe	99
PID 4044 wrote to memory of 348	4044	chrome.exe	111
PID 4044 wrote to memory of 348	4044	chrome.exe	111
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 4108	4044	chrome.exe	112
PID 4044 wrote to memory of 2976	4044	chrome.exe	113
PID 4044 wrote to memory of 2976	4044	chrome.exe	113
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114
PID 4044 wrote to memory of 1200	4044	chrome.exe	114

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

C:\Users\Admin\AppData\Local\Temp\pic8.exe
"C:\Users\Admin\AppData\Local\Temp\pic8.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pic8.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb66edcc40,0x7ffb66edcc4c,0x7ffb66edcc58
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5024,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3708,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5172,i,2171324626727052676,6303739539605520733,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3992

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
95e4e098726d99c528b3793a8f72fadd

SHA1
4dbe1a8862c87b9e526adef8f7ea14a36c583551

SHA256
39d1403d74a1af39a74c3bb4871b634eff29b7521318d256194f007f019ce8fe

SHA512
1087ccf7df915d77f6c04c57abb3896b7691ffaa91bf6de6164737620253e268575d6e3ddece15d5375724206ef4545ee08fce8454fb5e69a984b0b1c37a986e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
fd227bb8c0fb1485eb6b859a115f7ea0

SHA1
a59d24a9045d078fc078aa34d9d602a387a39488

SHA256
4e27479cdf60a0629a04c0517bc070d8072659dd0c0818956b67f8be0e93b33d

SHA512
35d717e72107505970ee0bfb44717803d58de73128cacb392c3975552318df0626f4c5d7411c7afe86a9c0d9234e051d3f949310a767c56bcd900a95e8cfd861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
00b899b3a9d6d04c6d014123e8980449

SHA1
d3284f24950234c29cff8d063a056efed26468f8

SHA256
fdd8019634f0f49a2d42aa43b7e1f58125f7b4f3b7d1a0186ee092afbbbdc410

SHA512
2529731aedda46d37cfead9e94d0185cac3f37c9fb5c0305f6c91fdca0a44f20083baab40a1d95efabd4797061949a40b4f4426ded078ca456723517d023b16b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ff0c9dffade7043d2e1a4a731c6259f1

SHA1
37cf2239737eddbc489b0b40b781b59f8155626a

SHA256
e9bd774ca71241434da7da84ec4e68a86eb6291e7db1e1905d92be5f710d9257

SHA512
af8624c71b791e9ed09b66b408d87d20f100459755f709250e03d7c8d73a5f7c2d3a71dd60cf5f38f613b79d84c99079ed5337f740fae0d2e181bb74225fd65d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
42e49fb8cfa88e5087e6316163fbe782

SHA1
ccf66cfd9c8b3694d4c9aacc9044ca863875abd0

SHA256
2eabe93f1b218a0678b1902d95cbde222aed8509cdd27aa9e03b0e185569c25c

SHA512
17a7c99533c045ee10d3e1910491f9a1fd220fba4e2a396abc21a78318e9ab221b8cdd05076d65b4164041822c74f039716c02546a216bae2d51502782bd8233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5babb479f19e680227ff545b95c5c041

SHA1
a6df1d6427a8b4d07ded317a2f9e6c16ba92b67d

SHA256
0f2af36ad10ff88e1342b213ec27de28b2dfccf277dff51bd32a00521417bb46

SHA512
8d6a060f537f20b579ac1085205408847fed29b88682d72e2c302b5d39119f75b0e74712043b08efd94a0137390a3739defed7cb43112abb223f32471dc2f8ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6f53dd3fd00decdaaf48d52029634827

SHA1
9989820f9a879d8629e900e78f62019170665221

SHA256
175aa4e5c8a90516994cbb8c8d3a3668c567639cf47449211839293c96189ff2

SHA512
4dfe466ca88ab67ddf5cd5da98a1d02ef7787c144a50e8a86d0628d779f275bd9a6bf870126c36af5acad870cb2e55f25e27d8701011fc14e608b4a43cb1ed41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f8f759bdbb76721164e6e75e4c4d5a69

SHA1
0dd4407bd33dce17a2f84074997804f4ef1f168b

SHA256
24b89fdac9249bb925b8f5cb52128de167f4f39e3b4b45627a9410e8a94f28f8

SHA512
60e8be2b7ea1a0f476f113866aacf312cfc881d333a6a4b4adcb4e539f88eaa9dfd1bd59564e15ac76720846d9387e3481421b10841d2ac9689bf5115da9ffcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
4eb21e7a19a0bfea5278b845e4bff878

SHA1
ed7343ecd14dd08195dc64eb6feb42448eb08501

SHA256
5d5c8b7d6effdb06755dc05ddd561dbfdfd4c48aaa01aa01f4b7b3b0e9e0af0c

SHA512
f69d27f1413b403f194c74179fa4423ada22436222b783f2bb766277481d09d26b2935263ce3cbe4dd17319c99f6dda2ed14365258e22583b3f8cb2a319e71a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0d7b5aeeff1e7ee5dead9f93fdeb945d

SHA1
e064a73be8189c3a916dee351bf36613453994b9

SHA256
f138a776c22d8e50eb774e13f4675855201bfd3790d87764cebc90d3da2812d6

SHA512
6971e24cf3306eefa7ad17e944092f508d00e2568d4340f1cea5769800d812879d7f62e4763c616ecf640bfc92985dd6f7deab1032cbecfb670259d4b8ea3924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit