749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

Analysis

max time kernel
61s
max time network
62s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-04-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
Size

565KB
MD5

27601d095e5b3761d9289584415a73cc
SHA1

9570f23b5abe2ef46a23ded17adb2fb6c203a201
SHA256

749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4
SHA512

066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7
SSDEEP

12288:REqmA0wfzInoQJUi1KHvQtzDNfo1arLaLRvs+Jkp/eH:RHmSyo+Ui13zZCI7+up/eH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
348	WombatStarter.exe
4820	HPWombatSrv.exe
1768	WombatStarter.exe
3580	WombatStarter.exe

Loads dropped DLL 3 IoCs

pid	Process
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HPWombat\uninstaller.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\1.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\2.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\3.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\4.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\Resources\Icons\Browsers\5.ico	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\HPWombatSrv.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
File created	C:\Program Files (x86)\HPWombat\WombatStarter.exe	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	HPWombatSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	HPWombatSrv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589618021189169"	chrome.exe

Runs regedit.exe 1 IoCs

pid	Process
4932	regedit.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
996	chrome.exe
996	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4932	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	taskmgr.exe
Token: SeSystemProfilePrivilege	2752	taskmgr.exe
Token: SeCreateGlobalPrivilege	2752	taskmgr.exe
Token: 33	2752	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2752	taskmgr.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 348	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	74
PID 2820 wrote to memory of 348	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	74
PID 2820 wrote to memory of 348	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	74
PID 2820 wrote to memory of 1768	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	77
PID 2820 wrote to memory of 1768	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	77
PID 2820 wrote to memory of 1768	2820	749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe	77
PID 3580 wrote to memory of 996	3580	WombatStarter.exe	84
PID 3580 wrote to memory of 996	3580	WombatStarter.exe	84
PID 996 wrote to memory of 1884	996	chrome.exe	85
PID 996 wrote to memory of 1884	996	chrome.exe	85
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2840	996	chrome.exe	87
PID 996 wrote to memory of 2480	996	chrome.exe	88
PID 996 wrote to memory of 2480	996	chrome.exe	88
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89
PID 996 wrote to memory of 1408	996	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe
"C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files (x86)\HPWombat\WombatStarter.exe
  "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "install_and_start_srv" "C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe"
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Program Files (x86)\HPWombat\WombatStarter.exe
  "C:\Program Files (x86)\HPWombat\WombatStarter.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4.exe" "HKLM" Software\HPWombat "jeromu"
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Program Files (x86)\HPWombat\HPWombatSrv.exe
"C:\Program Files (x86)\HPWombat\HPWombatSrv.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2264

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4932

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Program Files (x86)\HPWombat\WombatStarter.exe
"C:\Program Files (x86)\HPWombat\WombatStarter.exe" QzpcUHJvZ3JhbSBGaWxlc1xHb29nbGVcQ2hyb21lXEFwcGxpY2F0aW9uXGNocm9tZS5leGU= aHR0cDovL2FtcGFja2VuenUucnUv
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" http://ampackenzu.ru/
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffd5f3d9758,0x7ffd5f3d9768,0x7ffd5f3d9778
    3⤵
    PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:2
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:8
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:8
    3⤵
    PID:1408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2640 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:1
    3⤵
    PID:224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2648 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:1
    3⤵
    PID:1324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3028 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:1
    3⤵
    PID:3848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:8
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:8
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1800,i,8912978932688905120,18232799246441915746,131072 /prefetch:8
    3⤵
    PID:4844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HPWombat\HPWombatSrv.exe

Filesize
2.4MB

MD5
bac2e4856879885af0251cb4cbb3d521

SHA1
a8d3f6492e20e775c84f16a8ca6683a2c1aabc2d

SHA256
18dd7fe65140120d10004e475effb1ce386d8f280094429f4654882120899d73

SHA512
5d550a67764a54145808a12953435a5dd75d1bea8200f2872e288f1eb9f8c0b798db539289950b2c42a0cac4a55689fc65427d1c97afdf83a10881a74d7a1935

Download Submit
C:\Program Files (x86)\HPWombat\WombatStarter.exe

Filesize
1.3MB

MD5
d23253f3a323a0a7c8ecfb08e1e0aa74

SHA1
497bbf7fa1655f7fd921239a00d46c32acebf59d

SHA256
78d7891f42d40171373088aff1bda3fbd5ed4275ac0166a0cfcc7c8001ed4b70

SHA512
cc5072793d2bcefda3d59e145996bbeb47eac8a6887b7472d2ce3d64bcf46a3c9cd97a663920f4510e1ca6626258354dbc4e758a759b089f58d86fa8a4cb7b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0143a9cc-a886-4698-93f3-5e92a92fe47f.tmp

Filesize
1018B

MD5
cace1443bc0ffa658091a4989659fa10

SHA1
22dddb37325b71047c4bac1b830e0ee075742674

SHA256
8da6c8309c033966ccb7a2dd81deab948c2525d0ca8eceec8cadbb719b0432a1

SHA512
781ba887539b20a2e0b3f6b72aff581b2b7fe2ca45412039485731ab30b9c072371de5fbbfd20e11a0e7f2b1a672c406d660b8b58a40426a3c69632ef7a7ed29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56d1c46e5f076573c021cca4e6a29ab5

SHA1
548534bb708bd6a2821b9abe777d780c49a7f36a

SHA256
df77fd1a825a8164cffdc45b164845dbbdfbfbb1c9b347cef3b1cb934bbfd270

SHA512
f668e685929251b221a3db9e37dbece8aefd103c1bcb542e7362718e562ffb974b43397fc5e1f28802ae86849cc144480470a8bcf09758df5bcc2b216742251e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
70626b55cc7b1df9d133babe15b8a689

SHA1
f9729ca3f61c83b9f72e83ff0480c3d39ff27717

SHA256
d22ba74a69f54e5f0724844de39ba497e181317c0e5b912acb87306200051478

SHA512
8a4d0687fde8a84e0d957cc3cdde4413630457a3b2ae11b386955635dd911ef6ad14f6f293e69903e5943f3d1b0f5e2444419d1ac07ca155de88e241230942b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
c770f6be9061aa85a653f3de014c1fb7

SHA1
ce3c778efa07dbbdd3f3d35b7081f2b1839b978b

SHA256
eb162499469bef55a8a601b9adef28a62f57221fac4c7f1df1c5150fba29499e

SHA512
969fd804c751cbe9baa6b8f80d7026d9485587e10ad41593d0773d4a5de6c7d4c276ca6e94774d73c93c3ceba8da8f8d5005285e0f7180042a42a043988732af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Public\Desktop\Firеfох.lnk

Filesize
2KB

MD5
0736f18b030791f6e2218c493af4ef85

SHA1
5ae764a81823681c0a36a58f966c9a05bb2f73ae

SHA256
098092f7a76e37028285a4709b79c4614500e1fdbaf47b829dd95c115be26445

SHA512
f9aa5ce3f71bd0b8ff3f89607d65011070f1ab02ac2a52d3de6f160648e007d632824b5a19a8b35d8250f06c9ce7d9e24a281eb824d2b3503fb0d76c559ae97a

Download Submit
C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk

Filesize
2KB

MD5
0ff46930ae9bba7bf88bb4579ff66081

SHA1
52776aa7c8d25661839da7a2390a74376dd946e9

SHA256
ab8dbff137702c7a7b22b94a03550fa8916079f5091d36b155ecdfd7a71e1aba

SHA512
d515421bd1a331f7f45992dad2ff352fa709c4e7ab79e22d14cbd59dd0c04c4adf770445b806767eba4d8a0c23bf4791f56244508cb0ed6d8815e5ea4f45cb0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsb57F5.tmp\inetc.dll

Filesize
24KB

MD5
0f70de5c22874df2323f937f7b588bd4

SHA1
ed306624cd687d9e506c7ecd2ac97b7aaf556ff6

SHA256
7f5429361e0195d599ee05643e26985490b2ad85a08943e561898db3b365997b

SHA512
9cc23c1c5fbd07d991adf002fcdfdc3118b5d3648ac2387ef255ddd1377e1f94926f6e466ffe61657858df8e50179f52d647c75637beb2cd833b4ee6e5dc556e

Download Submit
\Users\Admin\AppData\Local\Temp\nsb57F5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit