umbral | hxxps://oxy[.]st/d/vmNh

Analysis

max time kernel
133s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/vmNh

Score

10^/10

umbral execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1228008947068436490/tncj9mVIrJMI3DpjKDreALx8QPbOlyvxgdoV7oZqctYYL1m2SYUty0d0mJ8yKmlEQ4Iy

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001da35-411.dat	family_umbral
behavioral1/memory/3968-430-0x0000026D07CA0000-0x0000026D07CE0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Hesoolver.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	Hesoolver.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
458	discord.com
459	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
453	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3012	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641549374506094"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{8044E03A-22DC-4970-BD01-6C8268FD0E92}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3244	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3968	Hesoolver.exe
3968	Hesoolver.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
1428	chrome.exe
1428	chrome.exe
5108	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: 33	4276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4276	AUDIODG.EXE
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
2592	7zG.exe
4040	7zG.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2152	3172	chrome.exe	82
PID 3172 wrote to memory of 2152	3172	chrome.exe	82
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 4972	3172	chrome.exe	83
PID 3172 wrote to memory of 5068	3172	chrome.exe	84
PID 3172 wrote to memory of 5068	3172	chrome.exe	84
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85
PID 3172 wrote to memory of 4836	3172	chrome.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4764	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/vmNh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9747eab58,0x7ff9747eab68,0x7ff9747eab78
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:2
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3512 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4884 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3024 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5024 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3264 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4844 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5192 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5544 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1880,i,14733206027101578819,17361570520466826940,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32318:76:7zEvent20387
1⤵
- Suspicious use of FindShellTrayWindow
PID:2592

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\password 1234.txt
1⤵
PID:880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32348:76:7zEvent16842
1⤵
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Users\Admin\Desktop\Hesoolver.exe
"C:\Users\Admin\Desktop\Hesoolver.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3968
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5084
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Desktop\Hesoolver.exe"
  2⤵
  - Views/modifies file attributes
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Hesoolver.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4380
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3820
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3012
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Hesoolver.exe" && pause
  2⤵
  PID:1712
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:3244

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
32KB

MD5
057478083c1d55ea0c2182b24f6dd72f

SHA1
caf557cd276a76992084efc4c8857b66791a6b7f

SHA256
bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b

SHA512
98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
20KB

MD5
e648b4f809fa852297cf344248779163

SHA1
ea6b174e3bca31d6d29b84ffbcbcc3749e47892e

SHA256
637f545351fbed7e7207fdf36e1381b0860f12fffde46a6fa43bdafcc7a05758

SHA512
a2240d4a902c8245e3ffebd0509e25dd5005d0e6f075f5c78a46095b9a52d86ed483583a2a8b39f1ad4e610d2f7ec63e4ef8eab89936d30da937690936ef4f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
29KB

MD5
28198fab85f1ac98f664600f670ba43d

SHA1
ee0dd46d793071270130c08412258d8c32194a32

SHA256
81bd52c3dd2417f30deadecbe5412bed404a86e05233b7b7ba6b7e8f682b5b49

SHA512
a1b3ff8361213c15bb077a3b9d31e9cb8b7705d04f2815395c13365972ca94e798f11532df48583fb3792df329d2a98ec903aa0457841da34f062f170de5d921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
23KB

MD5
82db06ca267ac7fdd878a1df35f41f4e

SHA1
9dae7f1ae60d7b83dbdada64fd1b4296f8f20051

SHA256
3847721350fd764d4d21cb4d2e02ab95c4ccdaa9d8ffefeb6f1078bf169ac6fb

SHA512
6e9beeca7caa94fc5dcf929d5af18d24acfc2a56612840b7084fb6057785d85b272eec8acdf4457c7dd1de9bee5e03fefc082a170131002229da0c01da9a8fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
20KB

MD5
4588208961b6b7ed6cd974687346348a

SHA1
52085a4f6c875b6949261704f05050c1727e9c55

SHA256
95a95b07b4e0d051f83a51b680810572bd1244b42cb6e640d3b29b98f3e92885

SHA512
a9853353e68286f62535548ddbf1a97f1b39c1b6200161a660b1a4eac6864a1f6e93ab72d2cfe61249bf4543e2317f04babb3be211a37c12a55d55ee08b2b515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
23KB

MD5
cd7b3e4dfecea7028bc1bdeda5a47477

SHA1
5c37dcaa4ed3c2a4051e4dc1714a342ac0de8365

SHA256
4d401337713e7f1c9f6588f8f7d79721e531c837b5f2f73c0b3cb372fd8f9b87

SHA512
ea11eb8d8347a39a1aa990a05cce6543e47145a1e618091750e2ad77497449e12e8b4d5b1e3385c9669cdd6a66e7dac96ff0e67913730c27c0ef2ff40a669f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
88KB

MD5
f64473f7f0d77763bf319a920044a5fe

SHA1
085e34089773af2ec9ec67f206d51e9ada6a84fb

SHA256
d0ce3ff70f038c52fd30f79350f60b4dff5c9bf0f327a1389c83c409a1f8846d

SHA512
25a85139b51b7b1e45a30c3cb8a5f53d7c7c09d7a636236a2abe56e7737c5ff1b7481d2d71ccdee2959c480cece1f753acc27998c1cb981c989b5b03aec5a20a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
31KB

MD5
8e2a0e56ae25b282b437f9d5bd300d96

SHA1
5d4ba26731ee84ba9bbc5487312162b826ede550

SHA256
b48a7837a73459a7d6f545cb45a810533d9bf006a54077b2ca3bd62dd6f6315d

SHA512
a2529efb9941f92a6c84c40214bc9c7c97ab70dd69040238b82f9422bfb5424b41e3f56146017c4a9fdb545b17f84058e03c8179fd4f6385e542d799df5d7a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
19KB

MD5
d37ece4290313a264b5e235c0dadf2fb

SHA1
9ae09bed58122b3d3c4914c45e682dce63993e14

SHA256
e08d9d0fd918211315836b13807379efdf0a22ac163c96f96c5a14d1212781bd

SHA512
28a9ebb27fa73557ed24458864558fca4666cfd53766795b2c6785202fba4ca67a29a25f48d3e11ff9bf462b070349571d67a92b1202ae42ca8583db3a781a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
72KB

MD5
ce2f90b81ee3a43f46c29223ad1d981b

SHA1
b82b68c892bd7c8b0bf06a883f1bdcd8ca0121e5

SHA256
7b5c7bc066eb345c6c48189f960ad13fac80add5b5769e2d7a1f59d82a382505

SHA512
85333d169f9815e608eca91d3ba07b18ad6d121806caec0474fd73bcdf22cd0ec032058ae029fd8ac650667df7a382c1fe186ec15f2e13b224a253e7d7c3c674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7016840c0188b61abe2e12a763880dce

SHA1
44650b73374c0443815fd0ab4f4c7704a686561a

SHA256
315aea98fe9c4e9b276c06b7ee5e368943e78568d0a20249173580fcff7e5d63

SHA512
770b6ab3935a2921bc536b0d87e44a5dfcfe72041d64f2488036d9d8269db54f09d589dabfa8c54523b8aa75f5f7b4fc2a652e6a0c1a36309af409d6c88c88d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
db744f93bd93f1402c2b4a310fc92c13

SHA1
32968591b6c50815ba79a0a9b5c2bf27ad126c4f

SHA256
47852f67ed8c8834fec34f2ed0fa6b5f4187bad26e86df1c569f3a71ba73db66

SHA512
689fcfb9959008236979321e36fb62054bcaf506b6ff73296232a2e13475270080b4a5863b1ac68b10c9634595cfc87a7682b6ad8bbd8cd51988ab37d0f43794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
36KB

MD5
df627a3de060c1dee430cdd2f3c47c03

SHA1
243dfc05699a6442c727b3eb8b378edd25620e08

SHA256
d995e74f70bdbaecd33ada8d4163c8c15f9852f6a2144d5b3c14f80b9cb5f824

SHA512
826027bff98087d781cc1e317ade88ad04cc7face9a59bc6517a52a7a4cb421bbbed4049a2baa1caca853da08783347469f8a6e45a10e6dd9d5601cafb4e344a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
32d770f31639eed11ff95d087ee1ea9a

SHA1
603e75ba1247a17fbf205cb54fc355d86913a6ab

SHA256
b8c90fae37dd1b0e68519876089c50681ee20174cd82d67c4816bbf6e23a8df2

SHA512
544d81c36be99a2c7ff29d8714f9f085b3439a851ec4213ed27d3006d75aa09434f0fda2214c522531ecd9c6d857b8dae32f7bee3ebdc005891959fc4314cc6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
6850f5b3411a3cad533c91e74a62e01b

SHA1
570b354241f1468fc5ed1df4e88bd961db9fe1c7

SHA256
8e76d7dc99f3a742c89713f58375f3373ecf104752062fba25d4e2017f9b42d6

SHA512
2897f7a6f3200325573350dab6755275fe0e34233e916dea588fe06a8ca8707d27eff7eba7c95211f7ddda7b08849052119fdc373c7a6c73bc1d40d1ef302e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
3dab33a24c489a637f315d90a8d734be

SHA1
87756a48bbbf17f834753e8589f76c94fb1e15ee

SHA256
b86b47594062957425af85dc1157da285fbb7bae196842a36ca420dc0ffae8d1

SHA512
0eb0fc9930224997b8722da65be366287446ba93d611703934bea2981ee30803fbdb9249294ab97da3527dcd66dfd208a92bc305dd7249ef210982cb3206755d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
a69c3207951524a62d05cc4d870fa959

SHA1
53de75a804051b0544c0e2604c6516994e6244fd

SHA256
f8d32fe4aeca32e6854bb3c37a2f9536c1033c3db539f1c5b9b846bc7219170e

SHA512
c8248b9ab3f152c94ab0d2e573a8efade426604e99249bf4b198221eb0606b6c8b4fa81d1b2db0cab17025d782dc52325afa743d496a3ef3bfc6b22c27282352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
eab7c053b70f3b4741f73a88ebc9b948

SHA1
1d744b47a67689e9b4f8876f0c99df7f95cecb59

SHA256
d5632d2eb0b8f237ec79b936ab66332fe676732da5351d1570d1faea38838fb6

SHA512
a5adec0e3962d48a1b6107d6641798dd621e2066db3581812555baabda4a56b90c9899109094597bdbabf85c6d55b2d5e5ddea0b6969989942406202631be783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e0e9143b8ca7f97b1eb5f8e36da341e0

SHA1
b1b65fd6dd273ffd744b6585a2bb99bf7daa3d5f

SHA256
7ff48382bbde2db3f5d2e4987307a5b0d9d06f2f9feffc04c12d0ed8a0c99037

SHA512
fa14c9b15132a4faee0eed5faa9fcbfdecd8da2cd2c63c5a5c4d215f161a9029196964784fd3a8faf14433f2370ca140f6966308bb18c022f3f09b5f4dc50660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
645c80f10e4e292888050118761b95cc

SHA1
60b921955743039dce3081894d981b214ce1e8f7

SHA256
4f14597bec99348ba7b4e5d549ebd34b63f6797cdc3b8b923a8b53cea0a012ee

SHA512
5cab32ab92171fb81724141cae0d3adb9d408b712bf92a58285a50f7c0a73d95384dfb41da695560a9d61ad15f97cf32eb8e0a1289b2522b24c2f34017cbeb2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5a67d4e6df67026b86a6cb50e629343b

SHA1
9a9c6a1ecff8740736395a11fbbcc17a7a291dcc

SHA256
fcd1a7cc2ebaff0de906b572af5732ece7c464be892c3533f2f0cb1e3692bb2c

SHA512
d498287e61765e224491cd6000b34e25cd960c5a911850d00c883dc5b555dbd8ed88c3d707a6d6e684e9daac1f5b849570013b2d5a97d666239f568acf889dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
eef30c70752b32adb5ba83f0aa807bdd

SHA1
8ef3badb0c6da39f7c755747a68d3e642bf81210

SHA256
407f166953f111c08c44dd60af95be5b83dfa0e887a747982c11291f93c393c8

SHA512
cc2b2210e49c204edbe14ecb3bbce6e6f91e76dab2134afb4911de2d4d64df3d1611a6613d14bf7971557814f82b864b8e211980c08004c2313ab9532d32f16b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
2f1a04ce553d72c5298bf9b81b834282

SHA1
c39c84126f42222c467a8275f334aacd05efe7d8

SHA256
3c6e0118175e5fcaf86c1a76ba88029298425b062f0f50ce430db70f28bd23fe

SHA512
7b9506242e9edb5b0c9ec583d5c65c3bf39c2701ed56d99f1dd68377db92899d3ddb17bf26ae1471658d2d7997bfa13e2280d7d136c1cebdb67a18bf617954dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
b485c3b739ea65545a8014e926000d90

SHA1
2184bf63b66c6b690d335bb7e2e84daa8a435ea3

SHA256
1e6117b666ca0a9a45ddf8bc7a7eaf4062438d7704c8364df7bc12192d9d9730

SHA512
70b1b04f1b92ca44ae5b0153ccf05a83e8b91cec7cab6fac2de8f1f6637beebbbf5c1b9d3947285957c91706fbab2f6486ff7533f4c4a9a16eb23d7ce19a475d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
f7888ff9ae436c1b2d20c0c5c98e82ce

SHA1
418e76bec58c8f7c3967b63d741ba1725dd094ac

SHA256
d254715a5484da9081b7b2e01b90ba72cccae113b993b13ff0ddcf54c6e5adb1

SHA512
652ac863f98f9b7d998a146b2ea2b199e4b7c445acfa2debbaf682c8afe5763ff056b2891d089977f9e77232078707472aebdae702bdebeb638b8593f31e486f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57da52.TMP

Filesize
96KB

MD5
d775642d97b48aa985e669a98e9650a2

SHA1
52de9b8a11d5b48dea5b215ea4f8b14168f4d135

SHA256
88eee1265f1958b0dd4bd0880ab7aa6c21ee9ebab6fcfc4e1cbde74cbccaa914

SHA512
a1205990372aa88423634d05eb18d151a75d1157a3bd7b7e6c685258a3f2f678b1b4c0ed31361f1a2f84fcebd2756fa1fdcb38399249c717b35ab083e8361f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agqfa5is.svi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Hesoolver.exe

Filesize
227KB

MD5
24fba26659efa99e91104408b3ff6292

SHA1
04b15b54389038c40b40476fe7ec2a8294ad283c

SHA256
49221b016f89975e40bdf310c0b38b1cdb3f7e986adbbf13a603ebfc9cf04e1a

SHA512
f37386210b52651c63c187447899dffa5d7815750976381630817b9369ff0ef852207e2887f9435aed4f8096f8a47a3cba7982114ecbf046fb192972dcf196c8

Download Submit
C:\Users\Admin\Downloads\Hesoolver.zip

Filesize
88KB

MD5
b90c8254f1530ea83047c8834dc0a87a

SHA1
bc17ee9bc00701da9736adb7b92c20482cb58286

SHA256
5cb2a6a6093a8fb1b723a855c9c747c8165fc4cb5e5c9e646a137606714a86f9

SHA512
29d1b713ae8c0fae206276c9be8afcbf7fd6cae083543ecb140e3e31f38d75ae16ec5fd15a1157c1412c5019b3c5da12e987304d5591232ec82e2a434aa93b1d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2440-434-0x000002CEF8E00000-0x000002CEF8E22000-memory.dmp

Filesize
136KB

Download
memory/3968-502-0x0000026D09A00000-0x0000026D09A12000-memory.dmp

Filesize
72KB

Download
memory/3968-430-0x0000026D07CA0000-0x0000026D07CE0000-memory.dmp

Filesize
256KB

Download
memory/3968-501-0x0000026D09960000-0x0000026D0996A000-memory.dmp

Filesize
40KB

Download
memory/3968-463-0x0000026D09910000-0x0000026D0992E000-memory.dmp

Filesize
120KB

Download
memory/3968-459-0x0000026D099B0000-0x0000026D09A00000-memory.dmp

Filesize
320KB

Download
memory/3968-458-0x0000026D22470000-0x0000026D224E6000-memory.dmp

Filesize
472KB

Download
memory/5108-522-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-523-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-528-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-534-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-533-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-532-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-531-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-530-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-529-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download
memory/5108-524-0x00000149509B0000-0x00000149509B1000-memory.dmp

Filesize
4KB

Download