emotet | ac6ff653497ef0da394e6485c2a29b584c602ae1fbed0a5327737e756045cc68

Analysis

max time kernel
82s
max time network
89s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe
Size

536KB
MD5

606c57b3c2a758e1240a5c0d56b9e1f4
SHA1

c96fd5f1ddc101b767bb2c61dfb0ee8526800140
SHA256

83b59305347b3939113353adcfd1f8cefa64f97a7ef58dde3d579471b4f0b935
SHA512

e9e2b3a764ad501a86721fa9c5b68f8a470aa8b0f4aac7857acf8daf9b23dad2ddd5832c8a6ae2b553573df690a5a9db3642cba43be732fcf9185712aa9e3fa9
SSDEEP

12288:ERIp0cYMucwnC1sc5h/apsSdXQmFHyq9n00tE:ERGuO1si/apnAk00

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

110.36.234.146:80

191.82.16.60:80

91.83.93.105:8080

216.98.148.181:8080

68.183.190.199:8080

190.230.60.129:80

183.82.97.25:80

114.79.134.129:443

89.188.124.145:443

178.79.163.131:8080

76.69.29.42:80

87.106.77.40:7080

178.249.187.151:8080

62.75.143.100:7080

201.163.74.202:443

62.75.160.178:8080

181.188.149.134:80

186.0.95.172:80

217.199.160.224:8080

203.25.159.3:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	resapisyc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	resapisyc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	resapisyc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	resapisyc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	resapisyc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	resapisyc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	resapisyc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	resapisyc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653700188312783"	chrome.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4264	WINWORD.EXE
4264	WINWORD.EXE
2368	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5052	resapisyc.exe
5052	resapisyc.exe
4592	mspaint.exe
4592	mspaint.exe
5052	resapisyc.exe
5052	resapisyc.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
5776	mspaint.exe
5776	mspaint.exe
5052	resapisyc.exe
5052	resapisyc.exe
4564	chrome.exe
4564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4656	c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	PaintStudio.View.exe
Token: SeDebugPrivilege	2368	PaintStudio.View.exe
Token: SeDebugPrivilege	2368	PaintStudio.View.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4592	mspaint.exe
2368	PaintStudio.View.exe
2368	PaintStudio.View.exe
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
5776	mspaint.exe
5776	mspaint.exe
5776	mspaint.exe
5776	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4656	2312	c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe	73
PID 2312 wrote to memory of 4656	2312	c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe	73
PID 2312 wrote to memory of 4656	2312	c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe	73
PID 3088 wrote to memory of 5052	3088	resapisyc.exe	75
PID 3088 wrote to memory of 5052	3088	resapisyc.exe	75
PID 3088 wrote to memory of 5052	3088	resapisyc.exe	75
PID 4564 wrote to memory of 4036	4564	chrome.exe	93
PID 4564 wrote to memory of 4036	4564	chrome.exe	93
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 1572	4564	chrome.exe	94
PID 4564 wrote to memory of 2424	4564	chrome.exe	95
PID 4564 wrote to memory of 2424	4564	chrome.exe	95
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96
PID 4564 wrote to memory of 1724	4564	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe
"C:\Users\Admin\AppData\Local\Temp\c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\c96fd5f1ddc101b767bb2c61dfb0ee8526800140.exe
  --2dc7b3d
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4656

C:\Windows\SysWOW64\resapisyc.exe
"C:\Windows\SysWOW64\resapisyc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\SysWOW64\resapisyc.exe
  --674e4039
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncMount.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandWait.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\AssertStop.doc" /o ""
1⤵
PID:2120

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameSubmit.emf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:5916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Downloads\BlockComplete.shtml
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa6ef09758,0x7ffa6ef09768,0x7ffa6ef09778
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:2
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1752,i,5662478365371002784,5385508689303378411,131072 /prefetch:8
  2⤵
  PID:5208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
602B

MD5
5bf97c040fd2cb79e7d9d43c9e8bda96

SHA1
6cfc4616f51d451f726ed6364f33fb8300e3ce0a

SHA256
e8a9ad1b903435de67d83483bcd712bdc3daddd2afc83a6577376d530c74a173

SHA512
9527dc4449fe4baeda6ffb14e9f02f621996e4fcf3d6250e6b11fb0d85014dccb2feef8980f7db7818a72c4e494c08217479b99f583dfbcad6a118de507101c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8fc45604ef09372631442be62c8f4201

SHA1
5c0f5e974f525fe35abccb5a6bed2c3af4c91060

SHA256
a7d961fd978c043cc4a8d66e459796d75679c100561b955a141ad380d6619d82

SHA512
270a4b19f5f5437196cb52fb8ce778f973df2d0142e7dd2a058eaeaa8fd9b6674d6b9acfde3b329a2c8c11dda8c86e2ce9a71e7ccbf66799a78088111f3bf70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
45c0ac7aa1f1b4878d8e7e4e835d85db

SHA1
5b9e418b3bd38df2647e4dd3dc8c42615922b461

SHA256
fb68743ad34ee9494d0bd1d12e517ccfec7753988a7673f044709357a3dba093

SHA512
9b279357733f163808933192b66434352d9cf08c89bd6786cfe16c334d9b12e1c1f4ccacd7f5d92b0c35630ee64d6ab64dc53b5a5687f9683ef8306d506e9af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
86d57899c83c179f7eb34c3174689067

SHA1
d301e59e1471c574886935231bd6bca5f1ad50fd

SHA256
3beb82a7f872678602a85ff714368c27e87c381d8cd72b8beab23d3f6cfe4bf8

SHA512
0f623c59b7480293a57500e1bfe13dc5c5fab7af75433546d1a4912d99fa8773839155ba068ec6b93d0138215f2556d584d17f4e37314409700879de9e608e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
233B

MD5
799593112997304fa535bc104edb03e7

SHA1
06382c1c3183fe2fcc9538517385ce8230cbeb4f

SHA256
0cbb6f21d0e88aaaa967a582674e2fda7035c1147a942422813eceeb6915eff5

SHA512
b4f173c735aff1d7badfbe06516503161e7f93f02a5419ffb26ad618b57e372559e38735210f0f3ee8762ea8a505cf561912143a250c43cb20ee9f95ed3df4f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD4893.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
257B

MD5
3c4b2044d38260268ffb1f1b195bbde0

SHA1
a52407f994e9eb7d450fb1994d8af19e2bce46e8

SHA256
6ac773eb2c86bba6f9077384a4f69838c89f6e665968be7e0d9f5d09d03d5d82

SHA512
c574e2afc02c199c5dc5679f07afb1216605cce733abb7d97e2ceb079f442ef2c6e06bc67f98c6d036a6e504141df4bf208fc9b8c2c48f8d97be29ffed319a89

Download Submit
memory/2120-273-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2120-271-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2120-272-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2120-275-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/2312-0-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/2312-5-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4264-24-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4264-29-0x00007FFA398E0000-0x00007FFA398F0000-memory.dmp

Filesize
64KB

Download
memory/4264-23-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4264-28-0x00007FFA398E0000-0x00007FFA398F0000-memory.dmp

Filesize
64KB

Download
memory/4264-25-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4264-22-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

Filesize
64KB

Download
memory/4656-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4656-6-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/5052-17-0x0000000000DC0000-0x0000000000DD7000-memory.dmp

Filesize
92KB

Download