umbral | c88ffa55d1136e9393fa642c508ab09e91da603eb036c0ca72fb77d806844c14

Analysis

max time kernel
300s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1111.txt
Size

40B
MD5

1424606dbfeb39f90c1465f60bae2db2
SHA1

cf47c1441422f20f0c03ec05a88d1c9062518ec9
SHA256

c88ffa55d1136e9393fa642c508ab09e91da603eb036c0ca72fb77d806844c14
SHA512

6fa4d908ad553ab25ba461393baadd9b99d2134b05059b61ba80582551d8b517ff8cdfde010f48e652b8ab16034371b935717afcda5833cab4b63d31c6368635

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

connection-arizona.gl.at.ply.gg:65211

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002351d-294.dat	family_umbral
behavioral2/memory/5072-301-0x000001F9D2120000-0x000001F9D2160000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023517-195.dat	family_xworm
behavioral2/memory/5012-203-0x0000000000B50000-0x0000000000B80000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
4560	powershell.exe
2752	powershell.exe
448	powershell.exe
1052	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	hmhdbm.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RTC_launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RTC-launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	svchost.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 10 IoCs

pid	Process
3600	RTC_launcher.exe
3172	RTC-launcher.exe
1636	svchost.sfx.exe
1988	RTC_Launcher.exe
5012	svchost.exe
1212	svchost.exe
5072	hmhdbm.exe
4476	svchost.exe
456	svchost.exe
1504	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
86	discord.com
85	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com
83	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5104	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651456341256942"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
548	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
652	powershell.exe
652	powershell.exe
652	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe
5012	svchost.exe
5012	svchost.exe
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
408	powershell.exe
408	powershell.exe
408	powershell.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeDebugPrivilege	5012	svchost.exe
Token: SeDebugPrivilege	1988	RTC_Launcher.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	5012	svchost.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3160	4248	chrome.exe	89
PID 4248 wrote to memory of 3160	4248	chrome.exe	89
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4428	4248	chrome.exe	90
PID 4248 wrote to memory of 4892	4248	chrome.exe	91
PID 4248 wrote to memory of 4892	4248	chrome.exe	91
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92
PID 4248 wrote to memory of 372	4248	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4376	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\1111.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d8d4cc40,0x7ff9d8d4cc4c,0x7ff9d8d4cc58
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4416,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4500,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5260,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5612,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6016,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6188,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2644
- C:\Users\Admin\Downloads\RTC_launcher.exe
  "C:\Users\Admin\Downloads\RTC_launcher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3600
- - C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
    "C:\Users\Admin\AppData\Roaming\RTC-launcher.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3172
  - - C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
      "C:\Users\Admin\AppData\Roaming\svchost.sfx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1636
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:32
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:2024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:2348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5104
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe" && pause
        7⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:1892
  - - C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
      "C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5036,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1896

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:456

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
e8ba67ecc4a71aec0a3318294c0fab4f

SHA1
f74ee3f16516a601281e12e387ac31565b81d76f

SHA256
8884c178bafc7414c23b870649f9ffbc74a076834b7cd7e4d2f17539d516637a

SHA512
7ac3ca79db0e3a71265c04382e1bf5f2762f6aa89732533c246f7f3bac1b5607c4b2ed19ab3ae789c054a02627b09bf2e9e431c671e1436e123c8c59795508e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
14d86d2fdc5ff86d488911b7fbad7ef9

SHA1
d9db24c87859586480abd0e27dad70c62cc1f318

SHA256
445d2555f71c3f429df1931a00220573bc7c0980f6f8d2226b5463cccec4a654

SHA512
4faf253a56fe01e2b0a9b34f246f0d701db31c9594e4f5c84fce42d1374f5cdb2f1e9e37ff0111eab87208507f13e143e47ddf807b7d029db10b60f20b4144a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
fa0ec8b35054b97d0055d2e64b29ca4f

SHA1
ca9e13621c05af531105c7bbb48f5082f478da1b

SHA256
4b17af985c7b1a7aaeac1c2dad25cc8e94d0e942caf029a056533fce60f65adb

SHA512
768003b3cc1a4bd937c233793c527c6401643206b896730a5407e594444af23c2ab645f21c5be63c4453137bf38c822de29d7514212e28f33af2828e7089ff48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\af9c7df8-6f06-4d59-9dd0-749484fe5394.tmp

Filesize
2KB

MD5
65e8f7ee2524ae5285f949ecf309a1d5

SHA1
885ff95a79296302d35868d26649b6bd03809b9f

SHA256
83cdf98d58f20257025d05e44dbac7113e7150409f761e24dc33f41892e8fa57

SHA512
531e0499690f4d6b21d0261f94258e5f6436ad63943183261e0f3362bddeeaf7ac55359f3433b37894b350c95089f867c641c1708e36517f34267fa26e11defe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10cef33b2526cc04ff6a448f4242b7ed

SHA1
817e1403373739ae5cb6fa84a2ad7e76191eb44e

SHA256
b825bd483e300f7a011edcac49f480197cb4bbff004e0b7cd992b2bf28a09af7

SHA512
5736c335677ff2980c85cfdff8cc250a9efcafe9a1555fde5148bae6b77e1fc7c6a9a08aece25415b0bbdba4db13899964f0b404d34a7a6f5f1c7acf0f16515e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a9c42a3ed496a9732ee2a849f1bb4c31

SHA1
cc1f1c279349509de03fa166b1f67ef7c6efa3ac

SHA256
58f97062a0a0b5ab1c468424b54995ebe6fc83a39d9f531f01a87fb95371fb24

SHA512
01a51023598aec2513eea2f7b15419d561aeaa6b2e311c5af8d959ab749f7997c23fc7fe0da7a50b58b874dbd51a7b0eab83765cebb65580c554414008aec68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a43253933d833458a1120663b517e7d7

SHA1
07ef0d2b86dd1fc7ea5d4a43c1695bbc287b2f93

SHA256
a7c8f7f818ff4d27fcbcce976d8ff9742367687024c4485f2462875b33684566

SHA512
3b5d7fdf669316ec54f6fbdb99b453f5e38ed4d06ab78001fefce63ea04b5c8f5bfe308019263a5fddf40e225ce30aa4761e0b9e7d14f1f9b5ab5ceee82375fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c27718e87e414d97a3b813dc195914bc

SHA1
131d04af65d30cc4ea13c54d8324311ea1318c96

SHA256
77d73bb2746b9269e1f30db2ed68d8c28f4fd6a75a2d3082971c21adfb900969

SHA512
2722ea565df22f8ef7ccd47e25a9bdd7f0757fd052eec2878d07e65e677024699aeb848d3bbf329e62a33f9760e3bc1e41551f4a663b73f0a5e81985f55d2a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23abfb4a938e41fc7f3e97e358cf895d

SHA1
2314d69d658a2b63373c8031e4ef6ad9e7fa6832

SHA256
f60943998df07cec1463d6c9b57bd159e30569b902f0d2c94969866f41c6a081

SHA512
bcd11810121dd8596bf59ccc6832314d3b64e0db3db5b6a3a24130af812c6933099fbb466dd10b2708ad9708692e03fba563d07728296eda5a9d19f83888db04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f48ed3b9a04049057645e81b10ed00d5

SHA1
5740c73ccf6011da59983b8698b2da9d23a86216

SHA256
673f5677db88aa860196994a1a19f59e869997d9618d6db14432d4e633336694

SHA512
9d04bcc046a86a996e9f88962380254527c0d222efa71ce9134111f5d975111245f36bba445142ed1506a4ce7cdd7e265e0a6fe374520e13b5f9d8e4f98d993b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
173bc96831d89e76705def0fbd052944

SHA1
825f67bb01d53db26778d40b6595beb679e8038b

SHA256
037649c3b43c011cabfa66f743754a619e10e9ba7467f0afa54f80da4c32df32

SHA512
663c5af4f93d51f7e6da3c1ece183dd667957bd4b660846bd99b9f38badc4f36c273c86e4f92ac2e120cb67834a4a657bd361aa1784fdc98e2768298eb6f1752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9279fc735aab9dbd0fad36d1412a0cb

SHA1
0a427374c66801d87a9a1e801d237e41fee3c849

SHA256
f67ab2470c6ec3bb658a15f88b50211b4f971fb1055229085a8a8cc6b1ba4302

SHA512
af0114f5ea988459cd9a3d1068d941627cd7046c461db61e4d1b290955c3e8ce68c72fb4cad8b95d20aa1957fc2278307ab8a644b383f72e2863a4bcfc639722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
414202ca544043756e86ac6d7851f72a

SHA1
1520df6c638034437ff0f7645d73db1e7a2ea49f

SHA256
9dacedd307144a78001a8b8608562717e89cc803d72068e18513c98e3fd02092

SHA512
8582ae6dd845145ffe8ced8e171812073ceb62d515622fe3f3cb25bfc0de68f6fbacd6b2beffcc8f003357817431f1ffb04d2841a00a6f8519432ba07dd5c79f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05c6da891519b31c807a2860a6304bf4

SHA1
3c0d168f84d405c80df7fae7bde8a75585c433ff

SHA256
bfb28741d8b78f416c0cbc9cbd75f55dc4085688af61262e8e0f0b3b6436a36e

SHA512
9fa5098d778dabe1a57db06220f9b84acb83e26f95d6c78ddf126b266d67445ee542599984d78885229d84bf5234e56ade568a4f3d3403c2dda0d595505eb686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92464dc30d5b57a05b8198d508b61c8f

SHA1
126412047d9f0c6f9aac3ae5eb6665d29798872f

SHA256
06b8555cea6f3ac0ab9af1ded280112648a357d629b8853d333158a9626b9dd1

SHA512
3995d9a5824dac003beb9c0c47a15544b892204f3a7b6b4d301d4f4fb922405e42aa2df9c8bb6f8ec3206df40a3b78b66bafcf0717193f3932219e9717e9b142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ca550d48e02292da98621bd1fee154b

SHA1
b55b40bb6459bd29752dde929269d8e91d8c0431

SHA256
c8293f574fa9fe9ef413f20404d035c1b9fdadc910172a295f3d37659321268c

SHA512
f8bb7361924cf8db5b3309f8a1be5fb236690e477891452cc8c45bbd36d081c25aa102d086a49c7b13953f94c1cd994c51c98f33efc0e4ad53ee174d7b3e8baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39786d8f7a1c2546f2a7c23d0a8932ae

SHA1
65a0446438dd6759ebf7e40727cc5bd71d223877

SHA256
2a81ef1de71d59542a4673af65d51f03a94f068d58f0ceee885eb7f6c3aad56c

SHA512
5d2e007470ffcb73e40ccb2049d899aa4f6eb271bbc13592bbc33c578f73b9b8640b503c488048426ce8b449a2dd1f259b4cb89c8046e2198a9b1a8483ea6b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
771b8def1622764029877b050b018ffe

SHA1
3c576d0cbc82e0152c2be29cde072156a33357c9

SHA256
addf1b2ff0113284caafb46b4895a2d61e914a082571b71da01ee90853b0e805

SHA512
852ca61add71582fc4d9487789c37b9d9643d6b8c2e27c91dc5bff05364ebb547b523e92a1096dea12c508ede05329b87adcf3d8a453421a05f0ae6d17a910b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4e747fb60c3b87ceca53757b7aa66380

SHA1
c53d2597d3f0a99a7df786653689b232ceb0137f

SHA256
41f20ef3b43ade026435bf8a2f11e47f5e9e6a82ec508e6e7bdd90781eedee45

SHA512
5b42b2f7f8881a5ad8f324b90ad0cf8fe393724c264b9463e9f7226662c0497f56d0fed737f4ec503acd2ecf9814c14225cf91f1111a7f4190003fc33e3b31a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
376b2264158549d2160e7b1a92d4f5b4

SHA1
961d068c89423d8bebd1631ba4c77e7b4ee87b4d

SHA256
afb8bb5c7cdf7005c3b5150a949e8299a603660bd31e789245a8c6b81fbdef6c

SHA512
1c17835da7fa74f29bd2c2783029c22ee57474173d143cff03355c7676af00156fe4573aaf0a9d102a53e02ca07e9fc75db6591779289292a0a1134fdb63063d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
4a10d402e800726990be461757a06909

SHA1
14edc508d3c535e1bc1f9d6aa01033af6ec60d67

SHA256
f994164f4d0ce3628bc2ad1c79ec407cae99deaa8a6ed13aa5adc0974942a098

SHA512
e22adf1e8e28dc0aa510321535261a828f573600b2e99b6dc176e2cd0a0c9af3c2be0d8c545f2987853cab9232471147dd74982253a3f37fc5017371aa8d9178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
465286a9b31a4fa4831f9d3a2925c88e

SHA1
4ba832802f83872ff47a59ace1057bceb38a1955

SHA256
24522f12ccd8284ed705803f2c1a3b12ba7d675d300fed443ca9eb55fead55fb

SHA512
84e4d5f00257670fea86e4397f3b814174609daf24488a82c4ce726f81b5891561a8c56d4053c76a8bc27318685d482dae5e15ba28c1cd14049c15bd552f95f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d1916e311dae29edb38f2946bd1cbeaa

SHA1
5a5f04e79c9db4022607f567585aa2447dc0fa3f

SHA256
fef31b0f182c51f528de4d52085cd852fd9cc2738439eedd55ac60552ef67465

SHA512
a93f7e5d646d4a14c130dd91beafa9697eb0a5f85859376c4c2a019e0d4891d9b013ac761f9e5f7a1d6dff0d9e3c0df75d6f74d1d23f89d6df27f48c7b56f5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
07d142044fb78e359c794180a9c6fdff

SHA1
8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

SHA256
2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

SHA512
356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2euv1d3.swa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe

Filesize
229KB

MD5
42cdc6de3e126e303e5d062d85c6e1fd

SHA1
f90df98687717fe4fae35177079405e94b3a4bdd

SHA256
fff9ad86fe27a98f157ab61c59fefc5ffde25bccfae7896e98a6acdc58f228a2

SHA512
9171ffdd858a5b4a34c90600a2270922a96ebb4f4991ec0e833397d892ac896a6af5f83c3eb3f16c6121caa537d61b9fa1f496a9a3b5d777c33fec9308f7340e

Download Submit
C:\Users\Admin\AppData\Roaming\RTC-launcher.exe

Filesize
1.2MB

MD5
bfe20aac9317925bcd8621db0946384c

SHA1
c739dfce077121bf2f7614210173966b9731cabd

SHA256
2d6d57ffff1c26183290ee15d1663283b98fba8c8981b00409bca5ccce49ee54

SHA512
3e82fe9df6e037911b6d73bbc38241fd25f96fa1047eafefa543a72e9ea7fa35e232a0e165c39ac5cc4fa864b439743d755545964347b6f9b3b39003dd1d4cb4

Download Submit
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe

Filesize
758KB

MD5
cb1929328dea316fcb34f3486697d16e

SHA1
8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

SHA256
7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

SHA512
90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
170KB

MD5
b4a592662f351fa139e2b2dbaacb6536

SHA1
effc55d139ca4b4fdd4bccce9c754661b626e624

SHA256
fae2b33e66e3f661f9ec876e263014cb89e97a66fff8eab2d311fc3ca8b1ec4c

SHA512
b31091654adc567b2fddf6e5a1e8f4f2f902d7a9471462070e0b6f5dea65a7bbc1424ddd7e1b618122bcb3310cb6b9e75a09b35e31f6fa50b4d6c563d7952c38

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.sfx.exe

Filesize
505KB

MD5
0326c9fc30cea37fc3f9dfdc9c017260

SHA1
ef2548189632d87afef60c6c5c322daf95a6fe6a

SHA256
d88cd37c5dee7ef1a3bd7836150cfb63bee3ba792a71c08685fda46f31f1b9d5

SHA512
e7d256931d32502691c8ef9e54ac448b1b38d9574ae78dfcca6764fd3a653b175e01143cfb46f70af662bd8ee1c7521942a4d9dcfd8285e225bf732c4fc8ef7a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 265908.crdownload

Filesize
1.5MB

MD5
e0e2f56b736c375d82c1668267f3fed4

SHA1
dd92ef585431f4d4295f05f04a044f84ab799b87

SHA256
2eef3ef0c91c8783544a4ea58131804dce6024fe5569ebdd1a497e0750693d54

SHA512
96ae6a0c5aa214bedc191c8eeb47c7bd17538387456d8af86680aaadf93cb3d2eb07c1714b3a597109789424584b52146ada4b67f9c04aec067c854caec30b68

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/652-209-0x0000020B6A280000-0x0000020B6A2A2000-memory.dmp

Filesize
136KB

Download
memory/1988-190-0x000001B603700000-0x000001B6037C4000-memory.dmp

Filesize
784KB

Download
memory/5012-203-0x0000000000B50000-0x0000000000B80000-memory.dmp

Filesize
192KB

Download
memory/5072-364-0x000001F9EC900000-0x000001F9EC912000-memory.dmp

Filesize
72KB

Download
memory/5072-329-0x000001F9D3EC0000-0x000001F9D3EDE000-memory.dmp

Filesize
120KB

Download
memory/5072-326-0x000001F9D4080000-0x000001F9D40F6000-memory.dmp

Filesize
472KB

Download
memory/5072-363-0x000001F9D3F00000-0x000001F9D3F0A000-memory.dmp

Filesize
40KB

Download
memory/5072-327-0x000001F9EC930000-0x000001F9EC980000-memory.dmp

Filesize
320KB

Download
memory/5072-301-0x000001F9D2120000-0x000001F9D2160000-memory.dmp

Filesize
256KB

Download