emotet | 2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

max time kernel
1030s
max time network
1041s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/2530.exe
Size

1.2MB
MD5

568d17d6da77a46e35c8094a7c414375
SHA1

500fa749471dad4ae40da6aa33fd6b2a53bcf200
SHA256

0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
SHA512

7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
SSDEEP

12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y

Score

10^/10

emotet banker discovery trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cbgndpremium.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbgndpremium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbgndpremium.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = d0f6cf640469db01	cbgndpremium.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionReason = "1"	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = 1030eefe0469db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = 30365e950569db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = 705859af0669db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = f06997e00569db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}	cbgndpremium.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecision = "0"	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = 50a9adb30469db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = 705859af0669db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\4e-4f-05-ab-ca-bf	cbgndpremium.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDetectedUrl	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = 1030eefe0469db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = 70582d630669db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cbgndpremium.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = d063274a0569db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = d0c1d72b0669db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = 70582d630669db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	cbgndpremium.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionReason = "1"	cbgndpremium.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecision = "0"	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = d0f6cf640469db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = d063274a0569db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = 30365e950569db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = d0c1d72b0669db01	cbgndpremium.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cbgndpremium.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadNetworkName = "Network 3"	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-4f-05-ab-ca-bf\WpadDecisionTime = 50a9adb30469db01	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cbgndpremium.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{818A60C0-C6AA-465F-B0C6-49E49E5A8D4E}\WpadDecisionTime = f06997e00569db01	cbgndpremium.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1228	2530.exe
2808	2530.exe
2304	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
3056	chrome.exe
3056	chrome.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
3056	chrome.exe
3056	chrome.exe
2656	ehshell.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe
2616	cbgndpremium.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	2530.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe
Token: SeShutdownPrivilege	3056	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
2592	SndVol.exe
2592	SndVol.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
3056	chrome.exe
2592	SndVol.exe
2592	SndVol.exe
2592	SndVol.exe
2592	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2808	1228	2530.exe	30
PID 1228 wrote to memory of 2808	1228	2530.exe	30
PID 1228 wrote to memory of 2808	1228	2530.exe	30
PID 1228 wrote to memory of 2808	1228	2530.exe	30
PID 2304 wrote to memory of 2616	2304	cbgndpremium.exe	32
PID 2304 wrote to memory of 2616	2304	cbgndpremium.exe	32
PID 2304 wrote to memory of 2616	2304	cbgndpremium.exe	32
PID 2304 wrote to memory of 2616	2304	cbgndpremium.exe	32
PID 3056 wrote to memory of 2012	3056	chrome.exe	34
PID 3056 wrote to memory of 2012	3056	chrome.exe	34
PID 3056 wrote to memory of 2012	3056	chrome.exe	34
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 1936	3056	chrome.exe	36
PID 3056 wrote to memory of 2340	3056	chrome.exe	37
PID 3056 wrote to memory of 2340	3056	chrome.exe	37
PID 3056 wrote to memory of 2340	3056	chrome.exe	37
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38
PID 3056 wrote to memory of 2764	3056	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2808

C:\Windows\SysWOW64\cbgndpremium.exe
"C:\Windows\SysWOW64\cbgndpremium.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cbgndpremium.exe
  "C:\Windows\SysWOW64\cbgndpremium.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6799758,0x7fef6799768,0x7fef6799778
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2124 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:2
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3216 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3688 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2648 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1640 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1152 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=584 --field-trial-handle=1316,i,6422998607360017905,6870816974251662639,131072 /prefetch:8
  2⤵
  PID:1620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2568

C:\Windows\system32\SndVol.exe
SndVol.exe -f 46400666 21478
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_malware_samples.zip\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2704

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_malware_samples.zip\sample_A__092e149933584f3e81619454cbd2f404595b9f42
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2300
- C:\Windows\eHome\ehshell.exe
  "C:\Windows\eHome\ehshell.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_malware_samples.zip\sample_A__092e149933584f3e81619454cbd2f404595b9f42"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ae86bc94f75839d5cc992d25e7dfafdb

SHA1
94ef7f3c0cc716f5c4e458518d30392651f4a7eb

SHA256
3ea0023f25327c068d640c5e6317b60ad00eb1b43d503ef5849b575e92e3e7e8

SHA512
8f3433278a5c44775862d9c6f4012083b37ac4e961cba3c0bcbb3a97ce8bf4e9460849bdda566bb9c4758e3ad27a6fa393ce4c259cf0faa007a6c575a70ffa18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
56df83a5c4d0af625849043f0dd47e14

SHA1
44ab3443455ce60c86166d146771a4cfef38c1b5

SHA256
5f5a50aa43494e1ca40d29dc7b4a79e1f26c08b9892e985ce1321e6113319b5c

SHA512
b9785c26f02a8bd73cea4ec7b07b506025fb024d29eeeec5a9fb756772899331703f3bfe32d65f34c9e63a83c8fb8833c78fe2ac98efd35cee4c865cd6c801ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
dfdc09a3d9aa088cc09929987b9fe272

SHA1
6721efab5213d2082089d5f48a7cd53c80a00664

SHA256
e01f9678659ad6154f09a84d5a6d0cc78d9953bdac1bf6d1cee07ba12955455a

SHA512
5fa2d417c67c2a402129d582c80e5facfc72ff62ead489cd3fc502f09a0a751069816b3bcf4d67983c92c155ccd36a62c973d4cce0f460cc5b389a10d126ef26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
359B

MD5
32f96bf289586500cc9c7299e2c03d1e

SHA1
cb47d22a4c4ac1f44b969085aec594a38311c358

SHA256
07458b77db1fda65e53a4c7f2d34449c103a229c7e6510a456e4f08d9879648f

SHA512
12f85636804b3ff6145849dbec4b0494ccb0f048cb7ead23c022f374fa657daf54ea9dc404eb4185ac56473b54a6f63a68594dba962c7fe230a66d8d0c3e46db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
44a4839028c3d533b7c4378f5d1a41c4

SHA1
f24d15333140e39aa1d3a1cc8a8cb579c25c78a7

SHA256
ae977bade3000f689b6b3bb099c20af938deb2f2db6f7d51398dbfada842c1bb

SHA512
886da8f8b848e80851a0480c0b28351bd040aef04e322fb007978c9161ab89d608014230e0f0441ff2ceb2e097f043c47b306b5e102efb84133744cd9e87a109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41b3b55f0f7bbb43c81dd4f5deced754

SHA1
6f4f6fd238ffe61383f9e21dfa818ab89900153b

SHA256
395074078bf12e07e6278452cd9fb3d3acc5a8a5a8b443c7f197a4831916b740

SHA512
661c0c938116a2df4cdbf49dd3e630dca34ffdb9a504d3260cd92aba664e1ec3bae8f2c882e6f8f75270ed6c65bf8e6cf57d7bc6830b86de51947833c6c509ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
59c13f95ba1a428a27f50d50df319f03

SHA1
297408fdcadcbbdba4a2955a4d554f38a5018333

SHA256
1e13d3d583fe7965cc8d4631287c93d007fc173ceb5bfaac37984abcaffe327a

SHA512
d5eb0aa9c02eb0cf15ba65f50b7e052788ebe2f3621b2bae6d9f50830a0d87ce4d928484c3666f3cf255a0ebe31b78182fc746c2f9d5f13e9809e5463d1941f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d0675324506d89843c516abb4a7003f5

SHA1
9f25fd0e3fb6fe3067ade76a7f46a3918e0947c8

SHA256
bd842233222bf166e44f0a01ecf6394464c70a304fb9e63c36bd4acc10938e9d

SHA512
cbe1638cb8432742833065e14fcabf01d4dd4a42c7baddee1618ac75dd57a70493fe38641cf4abc6b8ed3ce0d3f2ddec776c33d03c1aa398977002d6851d3b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
28975b79a75b67cf7d6970f96b086016

SHA1
394d1ff1ed42a421871b26088e27a6dda91152e2

SHA256
0fa230d57121548eeba4cf56df0c1aad1358c9c8383330729d8c621ea41b1016

SHA512
9f1f4b5d341c0926b21b15e9af265d7febd37d114a2fea2162f09e2e84cb1aaa3b6a70be626ed33e3a9e0bbcc31849ee0b71e242d8f013b919763e91fe0e54bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
226b7a14987badebd9813383b99fac17

SHA1
17e0866bec54fa323cda9eef38c92f938999778e

SHA256
c0469103acb146a8092cf6281a258fad9ba3d1dc40131dd3f4cf16db1714bbe3

SHA512
27b86f90df7557f4e7881f9e0e4d2bb199c2c5677180b0a6e45cbced23acfbc5096461e9d200b4977d5c3cd5017af794895f1c7676efb7236498614abb9a9c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c2d50511-784c-4a4d-8d58-26acbce3b92e.tmp

Filesize
344KB

MD5
cb1d2c942c76cda6a9f0779c25a1023d

SHA1
8165cfc292ed2c4af98e4fc3ddd9b0d7070760d7

SHA256
7dd5e904796b07fdfc3c1549343ffb2242bb316c322fb667b1d6abb85c426fdd

SHA512
10c0e1750bdb6c1b2f618b8e31b259b91ba653d72ed007147e2613b5ad3fa5a43ef05f0f73d0020164c61b818c3a1ede5a8adb4c875fc09fbbf3f14df2196068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9EC1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9ED4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\malware_samples.zip

Filesize
192KB

MD5
88a3232098179beed4bfa0d661ad19cc

SHA1
fdf08fa24f1e51e35c1b1607abcc0024a1f9af43

SHA256
b1a5798d6ff41ab9dbed635de4fbbb8e27ab7a7e55e80285e5c2ba3106e68f34

SHA512
45cf9590a1cd3d5fb8cb2d015c1097d5779cb26a973b0fb3649873813f63dd6e4c5e6e13b0e01746194bffb513f9c455c266fc6f84dcacbf12f0f4e64994ae89

Download Submit
memory/1228-4-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/1228-10-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1228-11-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1228-0-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/2304-14-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/2304-19-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/2304-15-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/2304-20-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2304-28-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/2616-27-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2616-31-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2656-306-0x000000001F070000-0x000000001F128000-memory.dmp

Filesize
736KB

Download
memory/2656-310-0x000000001B440000-0x000000001B44A000-memory.dmp

Filesize
40KB

Download
memory/2656-303-0x000000001E2E0000-0x000000001E8E8000-memory.dmp

Filesize
6.0MB

Download
memory/2656-304-0x000000001DC10000-0x000000001DD94000-memory.dmp

Filesize
1.5MB

Download
memory/2656-305-0x000000001B4F0000-0x000000001B58E000-memory.dmp

Filesize
632KB

Download
memory/2656-309-0x000000001B440000-0x000000001B44A000-memory.dmp

Filesize
40KB

Download
memory/2656-308-0x000000001D0B0000-0x000000001D0E7000-memory.dmp

Filesize
220KB

Download
memory/2808-26-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2808-5-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/2808-30-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2808-29-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2808-9-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/2808-12-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2808-13-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download