eternity | 60f53aece03a8119efd11af5a161d354604fa5f92354b4d39018b2f0b781e65b

Resubmissions

19-08-2024 22:08

240819-12el7asdkm 10

Analysis

max time kernel
100s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EMV Reader-Writer v8.6.exe
Size

338KB
MD5

6b2aa828fd00b099b6a3f4acb72b96bc
SHA1

cfb0ecfdf321d7f3cf068e40bc24b9e29c8ca686
SHA256

60f53aece03a8119efd11af5a161d354604fa5f92354b4d39018b2f0b781e65b
SHA512

82a5ed821f5e0b02661c88f8d777458703894d8723929dce35c9758e3bcd7d020e8dc27a89e2f7c5eee2f8f92bd69d3a6b3b303d7dc00506c433dfbce0331089
SSDEEP

6144:tEtm1/I1LrZ1GXMe9rg5K33kf5n0RbsmxvHWw1i:tEtmexgMe9v0f5n02w2X

Score

10^/10

eternity collection credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EMV Reader-Writer v8.6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EMV Reader-Writer v8.6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EMV Reader-Writer v8.6.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2656	cmd.exe
2752	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2200	netsh.exe
2144	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EMV Reader-Writer v8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EMV Reader-Writer v8.6.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2752	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1736	EMV Reader-Writer v8.6.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	EMV Reader-Writer v8.6.exe
Token: 33	2440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2440	AUDIODG.EXE
Token: 33	2440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2440	AUDIODG.EXE
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe
Token: SeShutdownPrivilege	2788	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2144	1736	EMV Reader-Writer v8.6.exe	30
PID 1736 wrote to memory of 2144	1736	EMV Reader-Writer v8.6.exe	30
PID 1736 wrote to memory of 2144	1736	EMV Reader-Writer v8.6.exe	30
PID 2144 wrote to memory of 2328	2144	cmd.exe	32
PID 2144 wrote to memory of 2328	2144	cmd.exe	32
PID 2144 wrote to memory of 2328	2144	cmd.exe	32
PID 2144 wrote to memory of 2200	2144	cmd.exe	33
PID 2144 wrote to memory of 2200	2144	cmd.exe	33
PID 2144 wrote to memory of 2200	2144	cmd.exe	33
PID 2144 wrote to memory of 2136	2144	cmd.exe	34
PID 2144 wrote to memory of 2136	2144	cmd.exe	34
PID 2144 wrote to memory of 2136	2144	cmd.exe	34
PID 1736 wrote to memory of 2656	1736	EMV Reader-Writer v8.6.exe	35
PID 1736 wrote to memory of 2656	1736	EMV Reader-Writer v8.6.exe	35
PID 1736 wrote to memory of 2656	1736	EMV Reader-Writer v8.6.exe	35
PID 2656 wrote to memory of 2692	2656	cmd.exe	37
PID 2656 wrote to memory of 2692	2656	cmd.exe	37
PID 2656 wrote to memory of 2692	2656	cmd.exe	37
PID 2656 wrote to memory of 2752	2656	cmd.exe	38
PID 2656 wrote to memory of 2752	2656	cmd.exe	38
PID 2656 wrote to memory of 2752	2656	cmd.exe	38
PID 2788 wrote to memory of 2868	2788	chrome.exe	43
PID 2788 wrote to memory of 2868	2788	chrome.exe	43
PID 2788 wrote to memory of 2868	2788	chrome.exe	43
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 1052	2788	chrome.exe	44
PID 2788 wrote to memory of 2436	2788	chrome.exe	45

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EMV Reader-Writer v8.6.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EMV Reader-Writer v8.6.exe

C:\Users\Admin\AppData\Local\Temp\EMV Reader-Writer v8.6.exe
"C:\Users\Admin\AppData\Local\Temp\EMV Reader-Writer v8.6.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1736
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2328
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2200
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\EMV Reader-Writer v8.6.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2692
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2752

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6129758,0x7fef6129768,0x7fef6129778
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:2
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2072 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2080 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2000 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1560 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3724 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3116 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=584 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3924 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1376 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2552 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 --field-trial-handle=1308,i,6969795041984295976,11603984367866821270,131072 /prefetch:8
  2⤵
  PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
49b5bc9d779f90b6ba9334d37b5feb8e

SHA1
99041390f4be440a4b1c7151df6b07e55219f5e0

SHA256
68476001db661d40f5a7adef79802f34d563054e47fafb079d54ed0aab08010b

SHA512
52b5d432a368fe49f5b71d66a110060cf7300488299ff9c03710187c10fcaf27bedb4e3a64782752ab9f3c6b232954fba670c26c135bc4c4b193cf7cd8c20572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a7b8bae181c2624c0801ff9b33db2412

SHA1
1ce2bb8d78222ab72e2a56c67b0db4f4e6b91108

SHA256
458a8da9abab1ed27f34ee125d4de040b10de773329fb3bca934259e598a378f

SHA512
ab0264d47a1e07e52ff703071e1ea7755bfe36bba2b5315f25ffa32832cf04f13106e10d9dc25dd9f6731ef0e6e8740eee14861150b8a8239003b86f875c6b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4a5141ed51e4d99c0b7ec6911cae2269

SHA1
f8d7714a080ed1072c15f107b20b95b64bcc607c

SHA256
e3b866430f271a783e548d950bd8ad2b7de56fd9ef0c858df9b879b32efb8dae

SHA512
a5bc17c3b30df76ee36b8848556110b1f4189365a30938e4198e6cb5117d3cb21784f41d9673d4662a17c7696c099a4be41dd415cab9a054bf8254e582fa51c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF84.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1736-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/1736-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-37-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download