umbral | hxxp://gofile[.]io/d/84Or4j

Analysis

max time kernel
42s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gofile.io/d/84Or4j

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1126841818676469870/wKxpU1x96IZptY7EnGleqZ9QSvJnnb_kUZs-okVDW4YwrmKMhSdXUiJ2NC1IkE5gclP3

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00080000000232e9-500.dat	family_umbral
behavioral1/files/0x00080000000232e9-506.dat	family_umbral
behavioral1/memory/7760-510-0x0000013ED2E20000-0x0000013ED2EA6000-memory.dmp	family_umbral
behavioral1/files/0x00080000000232e9-509.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 2 IoCs

pid	Process
5356	Edge.exe
6576	ItroublveTSC.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
649	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Edge.exe	ItroublveTSC.exe
File created	C:\Windows\ItroublveTSC.exe	ItroublveTSC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5380	7604	WerFault.exe	157

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7204	schtasks.exe
3840	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6628	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133337726410879551"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
6576	ItroublveTSC.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
6576	ItroublveTSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5408	ItroublveTSC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3320	4920	chrome.exe	47
PID 4920 wrote to memory of 3320	4920	chrome.exe	47
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 1636	4920	chrome.exe	86
PID 4920 wrote to memory of 5104	4920	chrome.exe	87
PID 4920 wrote to memory of 5104	4920	chrome.exe	87
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88
PID 4920 wrote to memory of 3404	4920	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://gofile.io/d/84Or4j
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9a049758,0x7ffc9a049768,0x7ffc9a049778
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2720 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2712 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3148 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5136 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3172 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5492 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5320 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5784 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5760 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6424 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6568 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6528 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6884 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=7072 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6876 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=8016 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=9060 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=9036 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=9020 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=9004 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=8612 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8592 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=8576 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=8560 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=8524 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=8372 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7812 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7672 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=7560 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7524 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7196 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7856 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:6724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=10396 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10244 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:8
  2⤵
  PID:6284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:8
  2⤵
  PID:7164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=11864 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=12004 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=10212 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=12316 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=12256 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=12472 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=11900 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10144 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:8
  2⤵
  PID:7732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=12776 --field-trial-handle=1880,i,8439700502689690763,11981511641067207016,131072 /prefetch:1
  2⤵
  PID:7920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8048

C:\Users\Admin\Desktop\ItroublveTSC.6.1.3\ItroublveTSC.exe
"C:\Users\Admin\Desktop\ItroublveTSC.6.1.3\ItroublveTSC.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAdQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaAB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Windows\Edge.exe
  "C:\Windows\Edge.exe"
  2⤵
  - Executes dropped EXE
  PID:5356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe'
    3⤵
    PID:7152
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "msedge" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7204
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe"
    3⤵
    PID:7604
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 7604 -s 1128
      4⤵
      Program crash
      PID:5380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe'
    3⤵
    PID:7576
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "Update" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe"
    3⤵
    PID:7760
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:6432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8354.tmp.bat""
    3⤵
    PID:5540
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6628
- C:\Windows\ItroublveTSC.exe
  "C:\Windows\ItroublveTSC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 7604 -ip 7604
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d6a2bb0af172520719d15141924ebcfa

SHA1
118d1f8e3762192bbc36cbb8f1ccfec210189090

SHA256
f89daeb365facbe9fa3b7ba058e2b6dd765c52ae3578bf98f0d581ee27cac2bf

SHA512
7dfe34bc1327781dda37ecc84c421c58a5426ff7bb3cbcb5862f394b25cb080564a3cd46037e6a9a5af77bb8d737951e5d2eb7d2ba064b6c56cc42cde9574894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
198d3bd86bf5b4c5041894d96526a4b0

SHA1
336bafa25a2da5b9d17ee5a154484c795dc7abac

SHA256
83131ee06fcc567df358e3ff51d392b58ac25f01366fad2e0465a70aa4834a62

SHA512
cc43349f125107558e0d374362ae4f4118a02585264e9412cd684e1760b9073ecf55a8c1779255ba8f6579700f592ea55f3f74fd7dea8a74f91d734cf00274aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
b187e3bd44c5c360d594061b0ab57a37

SHA1
fb57758347c185b5040c465b2c0cc761615a2acc

SHA256
8db22572d3e38133cf6f7cdfcec87663256441df492ff39b4d8222f9787890b8

SHA512
5c3eccc1c30d699c412278a6317f7d398d55fa3550b74503657610e20e1932abf1b39fdfb941fad1b6833fb7cf7adc4cb899461b4a3391428282e923bf31bf3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43843ecff02b3623c4810a0dc70ac75f

SHA1
d759012bc0e954b63beddcc0e8907da8e70885b5

SHA256
043e288b098491dbd102a37b2e0571b82cd182def71d94c81e7ef0378ca3ab73

SHA512
09abdd5c71923df75204dae04e5559f29898d522899e6030a042a344910cf055e2624ec03a1f2ea1646860361b792e9d1ec538ebd9f4f8bd4fd67220018a9a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a8b804ebdf0ba307921effb174018c3d

SHA1
78163f06a4812c0a0e9679850c1e7b41446f9b27

SHA256
03262ed66505a0f8d40dbee0b86f36dd077d596be68fdca2d9581bf8430d02b3

SHA512
f955eac6343549210c080937f78fb0dc5feacd786661e20c19e6848be963d39d211be549a6c0d47195535860f3e02dfd74f62fac023cd931552558dcf2e7ab0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
99bcfd39f838dd0ccd03df7c902300bc

SHA1
56225c63cbba7a187ee1147d14399647cc67f878

SHA256
9b17590c523312220005efd3d13b774ad08a78962636e4ad7316c25d63a9cd61

SHA512
fe1100f2cfae19d82a27821817f5fdbbe9ed0ca7fe04cb5e72d98a69c232360845b73bef4289c9a01f5a2a00b80ed43e3cde78af5268d8ea2872fe0923593704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
604a91ba598168a2423c5ab5b794ee11

SHA1
af19538c7e0611f7d55025f997503d9af26aec36

SHA256
a6f14757c460bc276d7f8d07b0111c84edb63e497b1bad4ae8bc30adfcf55035

SHA512
bc5ece334da66314efb31427c3edfd9a6b6b3a236e939998db1b7f83f132933503252255f0007bc326b2d74b6e94f0368b97884d8773605b6100100e56ae2218

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vjjtrgp.nsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8354.tmp.bat

Filesize
133B

MD5
8fce061d01ebb4881d8f91ad85a826de

SHA1
517c6f1b6511a04e38852b310d23c3efbe9b1b2a

SHA256
f8913e214ea4b7a595c7d74ee41939bcce63b4eb5197c0d570a15bc78c26468c

SHA512
af236c9b12be5877bcd030e930434a953134d8dceb671201e1cfa3575419d4327a93abdf12422e4c7cc9cb7b69cd1ad079243ad71a634da8c2f4eef89b3dcbab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe

Filesize
508KB

MD5
e100e66222e53137091e45ff97c495cc

SHA1
4d236ab8d332101f9205be932ee3267091a77179

SHA256
780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f

SHA512
3ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe

Filesize
508KB

MD5
e100e66222e53137091e45ff97c495cc

SHA1
4d236ab8d332101f9205be932ee3267091a77179

SHA256
780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f

SHA512
3ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe

Filesize
508KB

MD5
e100e66222e53137091e45ff97c495cc

SHA1
4d236ab8d332101f9205be932ee3267091a77179

SHA256
780e6a974b3f4da3714c08855264cfa1556bb602a1ba971aa01f61bf41ac4e9f

SHA512
3ac2fe770048b7070e8ad1113d2c2f42190dac630255cd99934dbaa07ba54b6973199540119b3c6acf4fd598e31b55a614f40c700c5d0142ba68bf027f4ea5a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe

Filesize
530KB

MD5
766f0f0554418f987c7ae0b1b5a4c87b

SHA1
c1864afa5323fe9d809bc1485c8c95318a4616e1

SHA256
a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e

SHA512
aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe

Filesize
530KB

MD5
766f0f0554418f987c7ae0b1b5a4c87b

SHA1
c1864afa5323fe9d809bc1485c8c95318a4616e1

SHA256
a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e

SHA512
aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.exe

Filesize
530KB

MD5
766f0f0554418f987c7ae0b1b5a4c87b

SHA1
c1864afa5323fe9d809bc1485c8c95318a4616e1

SHA256
a6c266d002b6c1b61722afb924bfe93a0dd2f4b4861ee35d0600c92cb42b797e

SHA512
aa5c3e4f9b1d19d1bbe28f5184dde1779e7498a00781c87faf0b91f605275f65ca8231630cc1bee0a502a63ee945ff31aa5a709c95cdc7d47838e80da9fa2b6f

Download Submit
C:\Users\Admin\Downloads\ItroublveTSC.6.1.3.zip.crdownload

Filesize
6.5MB

MD5
524d2db0ead50f97372f3ecf324ae307

SHA1
7bdd15d4da87c41c1fff45265f0abd48d00a9316

SHA256
5f1d90915d4a6cce340eb07866281e55639fc29d3eff6e7c47ada63bbd18e608

SHA512
af426bc083d3276cb8a6702d35e97a6333fa782bb734683d6be70abc447b4d7a5454dcc2506ef510b919513c22eb379ea82254b0360087938cc1e107c52cfa37

Download Submit
C:\Windows\Edge.exe

Filesize
375KB

MD5
9c0a7d6267feb0e77ddf181e95d48b72

SHA1
ebbe54a2eb63652e5d75e5875410d914b5b4928c

SHA256
8161798db8edce12fa902151dda8562edbec804bd2e5256e4ed35124ecf4891e

SHA512
426eca46895bd1d2d98c6a586e535e0f39ad55145b4ca6d56ed972f9e96e9ac521a10094a8447cabc3c27d29c6880ac3401f1a22d2c48a49aa8655e363ba4096

Download Submit
C:\Windows\Edge.exe

Filesize
375KB

MD5
9c0a7d6267feb0e77ddf181e95d48b72

SHA1
ebbe54a2eb63652e5d75e5875410d914b5b4928c

SHA256
8161798db8edce12fa902151dda8562edbec804bd2e5256e4ed35124ecf4891e

SHA512
426eca46895bd1d2d98c6a586e535e0f39ad55145b4ca6d56ed972f9e96e9ac521a10094a8447cabc3c27d29c6880ac3401f1a22d2c48a49aa8655e363ba4096

Download Submit
C:\Windows\Edge.exe

Filesize
375KB

MD5
9c0a7d6267feb0e77ddf181e95d48b72

SHA1
ebbe54a2eb63652e5d75e5875410d914b5b4928c

SHA256
8161798db8edce12fa902151dda8562edbec804bd2e5256e4ed35124ecf4891e

SHA512
426eca46895bd1d2d98c6a586e535e0f39ad55145b4ca6d56ed972f9e96e9ac521a10094a8447cabc3c27d29c6880ac3401f1a22d2c48a49aa8655e363ba4096

Download Submit
C:\Windows\ItroublveTSC.exe

Filesize
3.9MB

MD5
63b97ca45d11bffe5f3317531335bb24

SHA1
5b445cfb8f8364c8b22f8e99067acdbede93e9b7

SHA256
df685c35cdfa3c2cd9c8c6390ccdf95442461558c4a1c5a17f37eb823f566cff

SHA512
37dd84cc2f45fc720a2a61dfe1d71f2a4b6ece9d3b19e87dfb17dbd4b5127a7b9d0b0cc2d842358ee222fe335a771b9a168cea52b3c931605d2576c3267e153e

Download Submit
C:\Windows\ItroublveTSC.exe

Filesize
3.9MB

MD5
63b97ca45d11bffe5f3317531335bb24

SHA1
5b445cfb8f8364c8b22f8e99067acdbede93e9b7

SHA256
df685c35cdfa3c2cd9c8c6390ccdf95442461558c4a1c5a17f37eb823f566cff

SHA512
37dd84cc2f45fc720a2a61dfe1d71f2a4b6ece9d3b19e87dfb17dbd4b5127a7b9d0b0cc2d842358ee222fe335a771b9a168cea52b3c931605d2576c3267e153e

Download Submit
C:\Windows\ItroublveTSC.exe

Filesize
3.9MB

MD5
63b97ca45d11bffe5f3317531335bb24

SHA1
5b445cfb8f8364c8b22f8e99067acdbede93e9b7

SHA256
df685c35cdfa3c2cd9c8c6390ccdf95442461558c4a1c5a17f37eb823f566cff

SHA512
37dd84cc2f45fc720a2a61dfe1d71f2a4b6ece9d3b19e87dfb17dbd4b5127a7b9d0b0cc2d842358ee222fe335a771b9a168cea52b3c931605d2576c3267e153e

Download Submit
memory/3496-401-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3496-441-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3496-513-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3496-408-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/3496-409-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3496-400-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/3496-475-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/3496-516-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/3496-415-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/3496-473-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/3496-398-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/3496-396-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3496-393-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/3496-460-0x0000000073A90000-0x0000000073ADC000-memory.dmp

Filesize
304KB

Download
memory/3496-497-0x0000000007A70000-0x0000000007A7E000-memory.dmp

Filesize
56KB

Download
memory/3496-517-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/3496-444-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/3496-522-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/3496-448-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/3496-449-0x00000000076B0000-0x00000000076E2000-memory.dmp

Filesize
200KB

Download
memory/3496-391-0x0000000002F50000-0x0000000002F86000-memory.dmp

Filesize
216KB

Download
memory/3496-490-0x0000000007AB0000-0x0000000007B46000-memory.dmp

Filesize
600KB

Download
memory/3496-472-0x0000000007690000-0x00000000076AE000-memory.dmp

Filesize
120KB

Download
memory/3496-477-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/5356-439-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/5356-390-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/5356-514-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/5356-414-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/5356-381-0x00000000007D0000-0x0000000000832000-memory.dmp

Filesize
392KB

Download
memory/6576-395-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/6576-440-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/6576-392-0x0000000000220000-0x0000000000606000-memory.dmp

Filesize
3.9MB

Download
memory/6576-394-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/6576-397-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/6576-402-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/6576-461-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/6576-399-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/6576-416-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/7152-445-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7152-431-0x000001D7EE8A0000-0x000001D7EE8C2000-memory.dmp

Filesize
136KB

Download
memory/7152-438-0x000001D7EE270000-0x000001D7EE280000-memory.dmp

Filesize
64KB

Download
memory/7152-437-0x000001D7EE270000-0x000001D7EE280000-memory.dmp

Filesize
64KB

Download
memory/7152-436-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7576-478-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7576-492-0x000001D6C1460000-0x000001D6C1470000-memory.dmp

Filesize
64KB

Download
memory/7576-489-0x000001D6C1460000-0x000001D6C1470000-memory.dmp

Filesize
64KB

Download
memory/7576-488-0x000001D6C1460000-0x000001D6C1470000-memory.dmp

Filesize
64KB

Download
memory/7576-494-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7604-474-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7604-462-0x0000000000C60000-0x0000000000CEC000-memory.dmp

Filesize
560KB

Download
memory/7604-525-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7760-512-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download
memory/7760-510-0x0000013ED2E20000-0x0000013ED2EA6000-memory.dmp

Filesize
536KB

Download
memory/7760-515-0x0000013EED4D0000-0x0000013EED4E0000-memory.dmp

Filesize
64KB

Download
memory/7760-524-0x00007FFC858D0000-0x00007FFC86391000-memory.dmp

Filesize
10.8MB

Download