d0127c9658a5e6599a876f942a8d9eb46771f8f504c1eb4d3d4dd90b0e917574

Analysis

max time kernel
106s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-10-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pic8.exe
Size

1.2MB
MD5

2641c36c0e8205672c3b20a4bb79e802
SHA1

8a8c7312e275ea2ffb9b73a46a057fa31669c371
SHA256

5d5be2d807ae58e049ea38dc8fa0d084d63d3acedb1bfe47a0befcc6e14c95e3
SHA512

b3fecd5958ed1960a885f285d63aff2593bec3da54192e2a3674ec843132da98419f1cc414532a61d8e91e43ba89e13a658c239f7bcfd0694ab33ad8c66b2399
SSDEEP

24576:4kazQhNR3fNR84iv88LT6T6h0lhSMXlRg2r:LaMhNR1m4ivLv6TXhJr

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3960	cmd.exe
720	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735748503995009"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
720	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4720	pic8.exe
4720	pic8.exe
2156	chrome.exe
2156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	pic8.exe
Token: SeImpersonatePrivilege	4720	pic8.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3960	4720	pic8.exe	79
PID 4720 wrote to memory of 3960	4720	pic8.exe	79
PID 3960 wrote to memory of 720	3960	cmd.exe	81
PID 3960 wrote to memory of 720	3960	cmd.exe	81
PID 2156 wrote to memory of 484	2156	chrome.exe	85
PID 2156 wrote to memory of 484	2156	chrome.exe	85
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 4116	2156	chrome.exe	86
PID 2156 wrote to memory of 2852	2156	chrome.exe	87
PID 2156 wrote to memory of 2852	2156	chrome.exe	87
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88
PID 2156 wrote to memory of 1252	2156	chrome.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pic8.exe

C:\Users\Admin\AppData\Local\Temp\pic8.exe
"C:\Users\Admin\AppData\Local\Temp\pic8.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\pic8.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff917d9cc40,0x7ff917d9cc4c,0x7ff917d9cc58
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:3
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5236,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5252 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5380,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4284,i,10962354812452113068,11400991650364839669,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4188

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2648

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\20cc982c-1da4-465e-8720-75dd7ebef3a7.tmp

Filesize
9KB

MD5
678bce652d5b53ce1d0ec74092253773

SHA1
666ded2f18d1bb7576b66ec5710e633af9416e28

SHA256
bcd0dc425f63005499dce2d931b9169daf7297cae7d40726def7c3047102cd32

SHA512
f8efaf7eeb2d70711421fa67521327ff28624cd56369ff5df0139bb05d889f53106ffd0dd38ea0a480221334387722074721ad114da9071d7d9acc3fdfa0ff39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
863d8cffbb81e6c8ec0b8c4739c94417

SHA1
0436b508746aa8e5f5f7d34f25eaf60bb562c690

SHA256
047b9764c396b59358f5ff43155bde7bce0339a94268cf49d05d4a8f49585012

SHA512
9ec852bb5f779ebe774227ce94b2cc0084370a23286525045ec7b89ba5cae2ff01d3077760c40650dd4aaeedf33b91673362d96ac4b75313c1f1faca8189c163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5bb2806bb7420aa288b829ca686ffb49

SHA1
164aef2dc2cb10e2b796518493a7ff178d9df482

SHA256
bab5f5505af7abb72e15ad476a0d3e9138df68e212514960fd42b522247ec01c

SHA512
bac8f90d8fc00b4331c6e32f73175bb6ff6a28049d1666ce69ac3883fe51fa3a88f060af5e119a626eb46546f38796316dc5ab9de0fa71de918534552ffd5af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
97fe75f1eaded0119c9bab3ab7c00ca8

SHA1
99bce999a254bdd3e7632afbefe52b86d5980273

SHA256
a5028176558eca6053eaf67eeb37a3551f801a90bbb199f27365aef5c91d660a

SHA512
9c3ed547011ea6b8ff2df12c4ec30200b67bb8b7cf3da83639eb5eafb9184fc7975d0b5baa80ddccb4fb8510a7417d22b19f3028e5ad8bc78575e33e0122cf1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
2f6072b42945068b123d396df79d505b

SHA1
40d675b51c0dec15dfd555b89a17dcff43743c88

SHA256
adcff50252b7ef973e4d0c4bc2fca2400fea8cb7820cf4cce1508142374b3621

SHA512
274ba920d41835946efe1dbdd43d2135ce5f3eec1b8f39a68636bd1d8c71beabf50a1a2b3b932940baa8637ffb1d908098b30d714acb2d96f4ff599c324002ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a58104f3381cf25e15fbd169b4a5cbfc

SHA1
d84c3dd556cb2aedd9b6134562d3a0e4b35d5928

SHA256
36bf4691766e533997851fe83aba98d24e78dae24860b23ba55d9fd0c7bb0585

SHA512
8c9342b08845f189d6562c87d9f31a8d7b15067d52e0b2166592b57adbb860e3a9671d19ad91edf6558d644511aa23bbe2305c6f6c1c74314fb009e2175e0b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
af114b232c03e9523dd5318952d36521

SHA1
d036e3d871291382a64efab9dbf942ab1074fdc5

SHA256
499523ccae3bae2117244453b76118dff296bbcb20134dfde0d4bac4c7aac1ff

SHA512
6a012645e2f4099a212261c18dfb3408684f8f8c7f232f53fca007ffeb695010ad61641b2d94b5f4e32d17082b539eea5b366b04181b5e1f12018c10aaa60dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
555ac50a6bfb590a4fa48a133d2c3534

SHA1
1087e833f49562fc45c5493720b05d45fe123c0c

SHA256
8ea84fab11560e23b4d9a0f7114f179151e66f002c7268002a258e65a3a4aa46

SHA512
94f5f996db53bdb08760410879c5182e137f9518a3edf8928f7597922cd3006f4ce2fa6dead6e6c2e03221ed69e2996e77d81146584c9bb9fde27a382e96939f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
fb4c48f1b70175ff1749e758d8b08be3

SHA1
bfda7de068c970139cf848c8169789d078cdc81f

SHA256
2b8d148673122d695d96d8892af2d9ac5bf51d4c35b0353a479f48c1ec702b0a

SHA512
6ac269bef14028207651644676c3936554231774cc2f15d76b23bf4858ffc156f91105b7ca1a9a1a9f297c0583aed198509bcd0074d0e5d7a97a4329e2bb8eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
21907d57912be6dc5fcd15a3da1a283a

SHA1
99a7e1bfe0450f414c5deebab99501c6f1d4ddae

SHA256
8aac30c00a11717e5326c130dea6415961c896ec558de8e7107889cfd6398f69

SHA512
46d440aee658abab5c186539799c198d2964a2edff8509098a2dc61320cd4cc79a40de90e7344645a1cf195a34666fa5fd7954aca44b473690cb0877ac47ef9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2156_1699935155\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2156_1699935155\bb60261a-153f-4b4d-b980-cc7d4f007bff.tmp

Filesize
132KB

MD5
e2d2f826a2253da9da88faea320734db

SHA1
17b24a01c01485399600196b6aa68456f070942f

SHA256
e59d727ad2f2ea2612506af5418a2ebf5974f16f7aaa9f7497bc92d75a451624

SHA512
ad0686dab396d77cbf6a39628aca8a712793257232eaf43e4cd27a27b32a7411fd2755bcbd92d3a9a7acf32b0e7974ac65fbc5b28615d91f48558acac7af767d

Download Submit