umbral | 9fa6035e3150c3e57724bd3f4f67647ed925c9c9447f00b3df7715d03b6ebf53

Analysis

max time kernel
279s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

234KB
MD5

18a5e3fd22133b48de0ac3ae4e41c997
SHA1

6664c80cf7567077385cc5f82aba04d525a7a8a9
SHA256

9fa6035e3150c3e57724bd3f4f67647ed925c9c9447f00b3df7715d03b6ebf53
SHA512

c359ef3b9b5736b63e8906f6d35e6fb9b6f286f4fd382f5f445f2a5c9e38673a04f90215349c417c19e67cd9e123925521084167ac2dce0af842d18eb3c070b9
SSDEEP

6144:zloZM+rIkd8g+EtXHkv/iD4VsEnYe5xysXKYZd85Wn+l78e1mUDiM:xoZtL+EP8mEnYe5xysXKYZd85zJiM

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/3056-1-0x000001AAE93C0000-0x000001AAE9400000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4856	powershell.exe
1532	powershell.exe
848	powershell.exe
1684	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
28	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4860	cmd.exe
4840	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3544	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691756997931649"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4840	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3056	Umbral.exe
4856	powershell.exe
4856	powershell.exe
848	powershell.exe
848	powershell.exe
1684	powershell.exe
1684	powershell.exe
4800	powershell.exe
4800	powershell.exe
1532	powershell.exe
1532	powershell.exe
4084	chrome.exe
4084	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3952	wmic.exe
Token: SeSecurityPrivilege	3952	wmic.exe
Token: SeTakeOwnershipPrivilege	3952	wmic.exe
Token: SeLoadDriverPrivilege	3952	wmic.exe
Token: SeSystemProfilePrivilege	3952	wmic.exe
Token: SeSystemtimePrivilege	3952	wmic.exe
Token: SeProfSingleProcessPrivilege	3952	wmic.exe
Token: SeIncBasePriorityPrivilege	3952	wmic.exe
Token: SeCreatePagefilePrivilege	3952	wmic.exe
Token: SeBackupPrivilege	3952	wmic.exe
Token: SeRestorePrivilege	3952	wmic.exe
Token: SeShutdownPrivilege	3952	wmic.exe
Token: SeDebugPrivilege	3952	wmic.exe
Token: SeSystemEnvironmentPrivilege	3952	wmic.exe
Token: SeRemoteShutdownPrivilege	3952	wmic.exe
Token: SeUndockPrivilege	3952	wmic.exe
Token: SeManageVolumePrivilege	3952	wmic.exe
Token: 33	3952	wmic.exe
Token: 34	3952	wmic.exe
Token: 35	3952	wmic.exe
Token: 36	3952	wmic.exe
Token: SeIncreaseQuotaPrivilege	3952	wmic.exe
Token: SeSecurityPrivilege	3952	wmic.exe
Token: SeTakeOwnershipPrivilege	3952	wmic.exe
Token: SeLoadDriverPrivilege	3952	wmic.exe
Token: SeSystemProfilePrivilege	3952	wmic.exe
Token: SeSystemtimePrivilege	3952	wmic.exe
Token: SeProfSingleProcessPrivilege	3952	wmic.exe
Token: SeIncBasePriorityPrivilege	3952	wmic.exe
Token: SeCreatePagefilePrivilege	3952	wmic.exe
Token: SeBackupPrivilege	3952	wmic.exe
Token: SeRestorePrivilege	3952	wmic.exe
Token: SeShutdownPrivilege	3952	wmic.exe
Token: SeDebugPrivilege	3952	wmic.exe
Token: SeSystemEnvironmentPrivilege	3952	wmic.exe
Token: SeRemoteShutdownPrivilege	3952	wmic.exe
Token: SeUndockPrivilege	3952	wmic.exe
Token: SeManageVolumePrivilege	3952	wmic.exe
Token: 33	3952	wmic.exe
Token: 34	3952	wmic.exe
Token: 35	3952	wmic.exe
Token: 36	3952	wmic.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	wmic.exe
Token: SeSecurityPrivilege	4368	wmic.exe
Token: SeTakeOwnershipPrivilege	4368	wmic.exe
Token: SeLoadDriverPrivilege	4368	wmic.exe
Token: SeSystemProfilePrivilege	4368	wmic.exe
Token: SeSystemtimePrivilege	4368	wmic.exe
Token: SeProfSingleProcessPrivilege	4368	wmic.exe
Token: SeIncBasePriorityPrivilege	4368	wmic.exe
Token: SeCreatePagefilePrivilege	4368	wmic.exe
Token: SeBackupPrivilege	4368	wmic.exe
Token: SeRestorePrivilege	4368	wmic.exe
Token: SeShutdownPrivilege	4368	wmic.exe
Token: SeDebugPrivilege	4368	wmic.exe
Token: SeSystemEnvironmentPrivilege	4368	wmic.exe
Token: SeRemoteShutdownPrivilege	4368	wmic.exe
Token: SeUndockPrivilege	4368	wmic.exe
Token: SeManageVolumePrivilege	4368	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe
4084	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3952	3056	Umbral.exe	84
PID 3056 wrote to memory of 3952	3056	Umbral.exe	84
PID 3056 wrote to memory of 1532	3056	Umbral.exe	90
PID 3056 wrote to memory of 1532	3056	Umbral.exe	90
PID 3056 wrote to memory of 4856	3056	Umbral.exe	92
PID 3056 wrote to memory of 4856	3056	Umbral.exe	92
PID 3056 wrote to memory of 848	3056	Umbral.exe	95
PID 3056 wrote to memory of 848	3056	Umbral.exe	95
PID 3056 wrote to memory of 1684	3056	Umbral.exe	97
PID 3056 wrote to memory of 1684	3056	Umbral.exe	97
PID 3056 wrote to memory of 4800	3056	Umbral.exe	99
PID 3056 wrote to memory of 4800	3056	Umbral.exe	99
PID 3056 wrote to memory of 4368	3056	Umbral.exe	101
PID 3056 wrote to memory of 4368	3056	Umbral.exe	101
PID 3056 wrote to memory of 1464	3056	Umbral.exe	103
PID 3056 wrote to memory of 1464	3056	Umbral.exe	103
PID 3056 wrote to memory of 3400	3056	Umbral.exe	105
PID 3056 wrote to memory of 3400	3056	Umbral.exe	105
PID 3056 wrote to memory of 1532	3056	Umbral.exe	107
PID 3056 wrote to memory of 1532	3056	Umbral.exe	107
PID 3056 wrote to memory of 3544	3056	Umbral.exe	109
PID 3056 wrote to memory of 3544	3056	Umbral.exe	109
PID 3056 wrote to memory of 4860	3056	Umbral.exe	111
PID 3056 wrote to memory of 4860	3056	Umbral.exe	111
PID 4860 wrote to memory of 4840	4860	cmd.exe	113
PID 4860 wrote to memory of 4840	4860	cmd.exe	113
PID 4084 wrote to memory of 4076	4084	chrome.exe	123
PID 4084 wrote to memory of 4076	4084	chrome.exe	123
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 4800	4084	chrome.exe	124
PID 4084 wrote to memory of 1800	4084	chrome.exe	125
PID 4084 wrote to memory of 1800	4084	chrome.exe	125
PID 4084 wrote to memory of 4452	4084	chrome.exe	126
PID 4084 wrote to memory of 4452	4084	chrome.exe	126
PID 4084 wrote to memory of 4452	4084	chrome.exe	126
PID 4084 wrote to memory of 4452	4084	chrome.exe	126

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Views/modifies file attributes
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1464
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3544
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ff81fcdcc40,0x7ff81fcdcc4c,0x7ff81fcdcc58
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3692,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3492,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3416,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5096,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3524,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5148,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5520,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5008,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5116,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3984,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5732,i,17434281528944965628,13358860762346259957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x294 0x4f8
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\369b82c4-7301-4acc-8e96-3731684d4866.tmp

Filesize
15KB

MD5
5cc8fbea529b0bd1b52e0690fc2d1608

SHA1
7e71e8a4933e8ce4a2a60aa3ddec5c8d607513f5

SHA256
e155d1bb4ff8a9d6991a419b49b685815d1d76afbb9da6f0e6be0d17418d9be9

SHA512
fceabcbde928d04d92b8eec9fb35def4798dbf80c071789992680ebe97d05049931d156932d01414c08c1356f3b11d965295599922bb2ace7257a335b68dbe45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
23504fee982c6f5dd2349adaa3d9fc31

SHA1
230c59293a95a70d6a3f56396dbffff4c9bbbde5

SHA256
fd77f70f6383e1fbcf82a618c222ae16c6b7f9057b0890e7efb1713367a40798

SHA512
6851346287a078bc1aef38ecb3bca778e65b73fd30f5dd41ccec10e43687f51d24a2af788d665928d617ee8ea1469b6ed9da0bedba315c1797ceb57a7ba9995b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
27KB

MD5
6da5998f8e90d28378c84a2f8b1acf9c

SHA1
1eb55404a9d4089239d61f07b64d83d16d578bca

SHA256
10714240fab1bf95a09c0a6461bd3621783b763b6847bfa8255622d7d13a4fd8

SHA512
8a96b06b85ef59794870598ce40cd67fd1d608ddb08ea71fbe47e499dc449461ba0a0125188f16efe33a4e22cb8fac403685ab18748a119379aaaf2327976310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
65KB

MD5
a78c60528812ce56cce3d4c2ecc96179

SHA1
2bdde5a52d92c3ee2c4cce7eef421050ae0330bd

SHA256
53e7d87193b0fbcd7961651672366741b954d0c3f6533547ed987f57bc670544

SHA512
7679eeda0dda937255326113862ebde93fafc0f1e2a24862a8d4c5310a85b1d73f9622d010c8ae207694e5d8e4b021bb3579bd40b8c95076b8bc6a119f1d65c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
81KB

MD5
4ebf691f1bd51fce917701717e1e0303

SHA1
d9253759337f9ee8fd6164a3f5f5c63cefabe220

SHA256
9ae76a8dc528cea67316b7881feab55a2ca2448b6c011c63e26ec068fec24b21

SHA512
49ba8aab1394d2995019fe5383de34a823c434a7e50363f55ad82d5e8aaff1cf84b0df6e2b90fb0470b671ef722c248b5d2ee6d6e041d687dbaa2c1456e32815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
100KB

MD5
849e11ae6f07e26ef72b7d0707e62ecf

SHA1
0c9734f582dbe528c741f9510ee9ea963a6e119c

SHA256
1e9bdc4668e1b416730dac114ba4561e23c45641caef4ac541d7aecb657530c7

SHA512
d704f0e1dc36933522f1cc3a880d31593a7c1a8106603f5ef2ff295aeefb3738a6851002b79c4189d922ca87b7e5d1177a4ecbbe1a248f93a4210504fb7444bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dd1e5cdaf73a03b7f943d698c99d1ff1

SHA1
0ab3cb8013bfc7a19d3e3b6f25150ee6811a2467

SHA256
5cc0feac40ba1c5a8e87f9f282a3b87e9bc0bbdef513837cbe1917f4fb424c75

SHA512
986ef42c652d08686d8a7f46e7ac0b13afce14a67640404e059ad4f2735326bca9288fa725a70a28a38a50fc79db775352ca32e5c8289a6d1e69b7d7fd7166de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
283d0eef2fa639a300cab54822a00171

SHA1
da392e7c0a657269efdc3c5452a7413e8a0ac860

SHA256
b4b1124232383c1dcdfc4c07e74eba4a25357852821d514d453d51a95acbea7b

SHA512
8c8ed487aa59f9e1d4b613563322e54ff62206ca1e6ab1d45fd866d5e4126f74e1ee8e378b24862294c73b884e543d8ccf623a94da116694fedc3cddfbc07c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b1b8d3de33af1a753fb94c0a32b65f0a

SHA1
ece091a8d184ce1b6f58b1d2091290d00ae195da

SHA256
20904824020b32130db40017fb801a7baf9a12f19c2881bc16f8a6044897f011

SHA512
fa12745ca8ce20da030573bdda3ce03f98b87f2d50347042e272b672296e7c67ca1d6eb291f3cdd832fb6a82a67cfe6dcd24e1cdba956c65b096d0258ef98c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0cee4f4f252643f29ec5360e6711bdce

SHA1
b969fdd9dd469654793635f5c62653fd4d6db9e4

SHA256
85376c501682b73ed18e1ae501583a70782094942db8b28ae9c16befb0a2329d

SHA512
911693aebc4c4278cb90b3b3322a27c045ca33e38f5b65cfd8f2683aed8cc1423a19136058ee5aed41855b69ad876c31a0814b72ea660dfada01b8c9fe9ac4a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
21d1d68012330c01f7981abbea27c267

SHA1
4a4b04604cb187bfb353f2fc55c400aed74667ad

SHA256
b2829d042359b5636c2bf2a6ee13054e47d9513b5ea7e63d718a3ad876e16e2d

SHA512
aac650e523c1be851e6fdd6e8131d079da574ce2fd5620b9bdedca7172788b3a39867079abcf6dac8d6cc3f15a5610b54b431e1ceb655de419f3ad341b204913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f9bdd8e9a336df5c0d073f59aa123c10

SHA1
90c792279e05612b296869fdf8c28a1fc60272b0

SHA256
0157209234522fe53686e1afb0cab22ee5225f695d2748078b20205916b8fb3d

SHA512
3e06262239cf0f5ee56f35826cfa7c7550651813accf806932a6f7f3e0e55ed5f754078b66a6da2eaf503c0faaf9922a6fe0ae73f99fde2464269f615ddcef05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
f357cc007f23ab2b0032301f863654e5

SHA1
c87e0c9851b049b8cef6a2863505d1ffca2c3856

SHA256
e914998c5e50113c31e1d797fec92ad0eebbcb60c6fec72ccd9cbc6c259646de

SHA512
897702c5bb598253dfe65891a2a2ac346d1682593115e408b3ccca72ce57b1741bf4f43ac7245be047cc3896abe5035ef401ed713e1bab5c631d86cbdc847f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
0441c01d1d7e3f1bed5db7b1e4a690e4

SHA1
961f55ef2562282cb8f46a0b1bac2a17966b1393

SHA256
a22026d881dbefdc736b0aeea1bd3fb90df6cbeb2b374a17a9e489b9ecd36ee6

SHA512
6549ef47b4a1c0366cddc3e6b7872eca45569be5402287c94c97864ee767635ee703a7c1616e2a94baff7dbd92a301d8f9d2376dffcd3a35fe26a965f6e092c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
78881bfa831c014f6a03ca37a6476e3e

SHA1
10298066425f22eac93cf8dd47328c10a03cac9f

SHA256
dc354724aef7140f9abe271adef7ae4da5c5399c8ff6c003cc6cf82367348289

SHA512
e4197e7462308083ded6119dba7ac2882f2914a40e5a7ee4a6edb8a8dd676b59f309edbf028070f20f1a404704ddbb7f882bbc1f1b7e91b59d7e3aca3d9de0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e01923a478da6728bcc78e35803df63c

SHA1
19bcd62ebc8727293b4282fbb07ffda69ae4aebd

SHA256
da231acc457ec85390572edcd9981af35403b178c7aea87ff9782773e1045005

SHA512
1477823e228660d48c779a5073c3272460cc2d7894d1df8beebabc318fa9e9fd48af59d49c04873a104d5698763ef7bfc3e5e20dcdd61f3ed500457a51054e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
656dfc531e1e5598d825a27f10fc1618

SHA1
8063611d1ebc29510dc9fa8c35445449343e7682

SHA256
d52b54c8a63455034ffcb778c2266e82542e5c6ef157dd517e48783d9e7a034e

SHA512
2a1cba939acbac22a248c0055584e3c4066c0a0ea9e44f38292e38f9c3aad87b592f34520d5d33c600f12140ad4f2359ad8dbc6b72d9954fc0d7fd22a8da25c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
3d18e7dde8afd0b9e066cc5996464b30

SHA1
ded8d6cd5e384d7f96f59cbb8d71f367b5f6b5b0

SHA256
d2e67ba8ed9e7dc751a72b05e85e293b4ee5867156e1900781c71500fa3fe5b7

SHA512
84ec72728c5e0971e526443ee69e25aad636ceb082c38d266c83743a58302d008ef4ae2beae68d5c66d2fc67e5a8ad1efa02b7dc878ea2e72a49d6f5ce2b77d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
3e03f440f1c1c6a92c8ca44f349c7603

SHA1
f58e4019efba444f58bafefd7fe99c9221ddd615

SHA256
1efd2ef517e3af0ba4daf9d404c05f4a7cb7f70d70333c8f30186333cfa7b1b9

SHA512
04a41da59d0e3eb4f56ab5ea96ac91fc1d1255a24dbe708101d28e7fbd09f44fe9adf8c1ea75c79fd6599f49dfcf01fd3e3c54189b9aa03086acea6e6680be91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
8cf4b7a38df2e9eeaaf2dcd2fa59997c

SHA1
fb29eb53f1c7639a9416294ee74710f5da864d7b

SHA256
8d03d8cd7c7cc1dbe8878d6cebab719565363a4ec91072fb5b8f949c1d5f626f

SHA512
65acd3a59a71f56d74c785234f9eb38bf99429b3fac0fc3da9ebcf386366acd9fe4f804b2928dfa34f57ab83f6ef44b32881ceb78b06a8264c1b78f009374781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
6b5b6c570b23f852cfb345abccfc2074

SHA1
9f8433a7f886b60eac713d426fd6e3481685420b

SHA256
c5fa53eddf520d4e3dbe5edd654abddbeaeb7eb693fb8cffa152316d93e60dc3

SHA512
fd0ac184ed1976773d94c81470d6b5a8c258d0526b3869daad40556d62e2f6da6f3b0dc031f8037b778e71f7ea1fd0282c85fb0b9278432a31a856e5bc2f02e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
144cb46800073e6a859b3752019d05de

SHA1
e72ac4b1cbd6d1d0da4c83fcc013e40246b574ed

SHA256
75d2cad2e06c7f5e90aa6ad9005a2f167e91649c2f825645887386b7a77b4bd4

SHA512
57cb8df8ed2937843edbcdcde1734cce6b0a28db8ac75eaa452be5a8376a45873abfa5272a6fc203668644d37be5f388ff3b7467bb1b441793421e2d9befd56e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f74c5f3ef914254fd056cf209da68023

SHA1
aa5ce461a4a24c6418041144c20bc1cb3d615b4c

SHA256
7860f379513db42ef2d9350da758ef7d84ed66f2e0fccc04aaf8da9f50fc5528

SHA512
46b9683474b14186ea50a336e821fe652dcfbc1aec8f8ab449c97381ed714f9b7acdc7901f119b3d3b3b36183ade03910bdfe75e9484a7efd56f3c6862249afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0601e0995b63a4f9eb14d0558b58fe4

SHA1
95eae14877a41054322854ea49bd6a92135dee7c

SHA256
571b009132d709659dc84a987bc069c1421aae7d5691e835ee23e5087315a7d8

SHA512
ae95aa09072f8c38493b761fd9a12efb6b15b64d768d71b6f1492aa59665c54da8c92b36d14470672ffb094c5de6b327b2050364eecf04113d228e9b2c71e922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09320f0cdf6b3fe82b9ee41317f8bd37

SHA1
93f4cc9103235515317f9e15dad473e98d7c1590

SHA256
163568865f3822ca6c88cad1137ca96429d377f7d5bab9331e9533e16a37330e

SHA512
df890cd89e0ee745600dec4b4bc9659b8d65319b1e04fa0f231626738384887341c627b0fb5f6ad0a3144618c59f059e72925f6918879ee89206aac72cfd80c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5861fceeefebffbabcad95238fdfb3ff

SHA1
335b6ca21673fe2df614c6ea68906e6106c050b2

SHA256
ca07e4e8d8b4023c05f12beef11dc2dde4a37650fde0260e9b1c8eec2303bdfd

SHA512
c76d9675694e7c9d12360c4996d6fe0b25368a3f061038c4e03e6ba5b11c3251066c73c5f0f8c0cc17d50e3bc2e4cc243ad1520c2a2e585445cb006007643471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e097691636ad2815895109dba5371fdc

SHA1
73922e0bb1c45b3bfe0aa6b92403625acd0ef197

SHA256
b36947b691d66516a654f4a4d68c8c769407586e6d8d8c578a5e3b15d8b0f1a2

SHA512
a7eb1265b2af8ef9c753d79b7b08513a745481f37178e359ab9c51c8b0965d1aad19a972a062d08ed2fd10607d50870dd76c5597b98db23481fd7a411700326e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a1462a51b95f5234b1b9033d92db5e27

SHA1
faf3c1c9a2ab4bdd3e340d46427b2c8e30f8d8f9

SHA256
748739dec4027002fefaab336e3d44a15d6eb109f5ab008bffd376e405dde2a3

SHA512
66c65019494ae12e119ade56dfa66b9008337a8dcebd032cac070e6c6d5fb4816698fc49903ae35a75ab0e1ab236799f5ae3359d30b36509fecce42548b59aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ec2a8510f81b286f0db51a099a4d31d4

SHA1
d098627e58bd619942985fbcbff3ff55cb040b25

SHA256
fbee7490d517e1dbc3b14bf380b3f6b916bcfeb709a6060dbaaa40fe86bfb2e5

SHA512
741deafdb2eb70d8dfffd89ecf9d9f31c122ff20ebc9a8e8e4ff20e6250de09f59a7fe9670d6eb966eec32b727f6a756d072133e8ccd1daefb9c3ee59395946e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e28ac271327661f1da4756e4b4358857

SHA1
5babefd93c09a911c116a4679fa5441e289f116e

SHA256
1b80f68922cca94ef930755e4c39e7bfd707498c3ad0d0572126556bd16d1bc2

SHA512
e5b5b414275c3c8685f33ced65ff49d08bb6320d77c069ac60efea069d8c8cafc510d8b7ceaaeffe469b0273f22c8bc3be5ab95fcc7a25b62840250cc3b17113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61cb2a7fe825f85467153d840eac92ad

SHA1
7a81a90be3520d74b9347e159e3977f7f85e05c7

SHA256
66a21629d768a4fb62aa61e78b9e1bffa44c170f18ba5bfdd30ecf5c441b1374

SHA512
f2cae3c394b711d63ae48cdfffd70e022c7ea90733d72873afd04b6d49d7001e799a5447513b4b506bf17966a39ad61d04a338e5e48aa5c624eb27c371a02e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4b0d7b8370f8054b45d66e42610d115

SHA1
5c1623a0676b3ac1f707f79018e93f62d358e0e7

SHA256
35fc427a97dca8f0befd9ab9c14655a800b912d410940da6d8bfa64ebe210ecd

SHA512
e420488017c5a6589803d57e3ee1e51eb3f8358dfe097db639e0148c035700855459ae9d28def183e2e052b20ce7fddb5aef80f652bc040e59ffdbbf629c0016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88d250b9f41e0faba6c30a824068bc3d

SHA1
51ddb41cdf5183d89c522b82fe39d7b3a0a28cc3

SHA256
2ad876b672ece0a63c39b4d3f08d542697c33e44db8dd0a5cd38fabbe0c86b46

SHA512
d4aa846539466b7bf9338aca1e360436fad6c8b4d9457d1e038cfccaae7de62db137d10343db329f09c5de2bf64d17f30445a6bebca984d653772c9ef7c3d9fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d9c1a2d68cc88b94c8a13fd3bc58afa4

SHA1
a36eb75263c98c93a67d4b63e50b57e3e02bc448

SHA256
72d71689b72fb41bb99b9a4a7db87a1371b86e3ae3bd5ed75b6c263e00cacf2a

SHA512
9826740bdec6686836c01c7f627174905f639e24aeb08c1e19b9943cbf8c8ce0ed1eb47117aba8f028f7730b8b55d6a0eb47755c57a7fae042ef778f00cbf822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f87dc6c3d62caacc60e32d8fba3f965f

SHA1
49ef36757d7c58d06e6b8fb4b4cb3c9a1f743b7a

SHA256
c6f2911ca9bb03896a9eec96f4d3bf725b6d3ba9155ffdb5f854799548b3127c

SHA512
5d4cebac690a2e51c0346de4342ae8dd5264cab2e9acef0d12d0d1e6fc4fa5688bb02edbba2ec9b9663b90837d74e7b5f90c6ffd101a92d353b55e59c9eee944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ec32a88e44f7498223e34eab9cedacb7

SHA1
5317cbfbbd5a0e7926c587cb4f35a7e6d7526df5

SHA256
a7f37900a68146333aa89eac1896462d74bc4fa0e32c87176fac8b5cd6af2d41

SHA512
6b4e9613ef840eeaef508e6606ffeed9cd778312b983656787c89861c7019cc6c13e1b767dbc15a3ab0bc0965043abfb19fba76974060cccf61c7556092cce25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad1c48c468e04fc6a88d20134e3645cb

SHA1
40538960911b5d9b74e6d63579d4e458e95d3cc9

SHA256
28ac491857bec61360ab138181faf34c9c255190b1060574f6165c0759bd5cb7

SHA512
50638891631b26e7f2f0a3b64d11127b162a6ea3d2de3a767c169dd1fd4b213b13e1a199562d54e6313b75e1cb5118e43a92eaf1d7ce926f73f099bd6ff3ceff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d522dbedf571eac06ca17c3dc3e9af5

SHA1
a417cfd483ee353711267cca27625d008dcc36fe

SHA256
901ccd0e28d62ec9dc69b3e3ba11b95c69b272775410be53a3305d40cc0f47af

SHA512
67079217b0b7c6a8ba37fabd0b643ad3c7ffbdf44b8cf3cac1f064c27fd9a11029f65637028af572b34e21a7441fbc606e028521872b7180a6529db61908cb96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5fec917fda45bf9d6d34069597ec27fe

SHA1
ef9dac5d019f93c9a07cb397d4a7f94e143551b8

SHA256
e47b42d928b3a0e859a28d08cadb2494a9619745b51183bafe2b10ddf0bb09b3

SHA512
19b77a9a891eaf8e11f178cdf4652ca7a9ddb07bd3da2234c8f5e9f802b128e28f28c18655185d8f1a61919d0ded90cdbbeb6926957df98523c4886029b7da04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
45c173a1dddfb00c8381c3c0ea561d28

SHA1
49d4434823da4830152d75567ccbf19e5c08badf

SHA256
1577e14e78aec04a7302f06fd3a1a335c3881da2b7d2fa557bad2ce5b180f0a9

SHA512
161195708bb9f81611f4814389f430e6b339310a9317137d26e97c673219212128071dd8fc63e7e1e79be91f5635d4b28f1b0ec0cade18b59f182a4ff2e7e4a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
22c0e1170f8f79863e79a49aace89752

SHA1
c2bbeb3e13bc514a2f469f9c5dd9bdef2a42ccfe

SHA256
a3844292969e2b79b7544be9a20a8ee8e6b1038c3421a1801ba2771286a86654

SHA512
1aeb21a346a6ad9d7a696f6a333dd251fb413243afdbe2570fd9d5dd9ca9aa84c6793b292f04cadb3af98b2553cea05cb88420c4e95678ea3b76de936b79c7b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
d4a42b9ad5b4dd10c7c4b5720bd8a584

SHA1
acc5dc37415727b471b62976d6313111812ac2b3

SHA256
08347c96f541a7dac26585b29601175ff78470890939f5e1855147a4ae995e29

SHA512
c4d3cdbfcb1cd548f4567f302b49e638276e1922c09c1436d85e44c7ee825658d6d428c63b0286309eba9db3ccdda91acb8f83b639ed0d9b616fdf530570761a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
9af9b9289ba8dd2c687c02593b4a843d

SHA1
b3ed36e76209f1d208bb9c89b6f9e3381b602a10

SHA256
02bf369a9e0063f11cb06f968f49c4fe84d1c4ac7d9d0445522f4c9d518cc346

SHA512
3cf23eff71c7228314d6177cb6966433b6d26b932dc5eb2db0a16068795397dd41152c00d1b2e6230943c417f783ea46ae8c87afd0f59318888f2dff162bcf63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a59afbaa-6658-45c9-a288-f7c1479df61f.tmp

Filesize
197KB

MD5
c685cdf1673767a7600d5fd77513cee1

SHA1
18d9ac0b29577ecf9f82cfcf59ca6fbb4e3835cd

SHA256
ae3eb83cf46cd099a71afd1a1c1ebb84817e6d25dfdde5f86523b9e982ae804a

SHA512
b46967e1497761210315cd3ac5af0c2366f3eb51de7b35658b4850dba97978622ed0f68eb85fc7187807dd3e1ba3221789ed0a460f278f427ba99e836c1fe6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
063fa26d779f114734bd9130125608c3

SHA1
3a1b8fb1a319f6c40a71b117d6b07106d2a53857

SHA256
e8f8cb3e295999c4b311836d5fe1213b4721d56ab14af3eacd1bcdd051b5a66b

SHA512
fbe868cad1196fa3630581f269e8c512af1ed7b1d1e5708c369ed28810d37e48301370f19260657f47a560165113d28437741db39b91aaff69776143598b4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgtiba03.svr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3056-90-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download
memory/3056-33-0x000001AAEBB50000-0x000001AAEBBC6000-memory.dmp

Filesize
472KB

Download
memory/3056-1-0x000001AAE93C0000-0x000001AAE9400000-memory.dmp

Filesize
256KB

Download
memory/3056-71-0x000001AAEB180000-0x000001AAEB18A000-memory.dmp

Filesize
40KB

Download
memory/3056-35-0x000001AAEB150000-0x000001AAEB16E000-memory.dmp

Filesize
120KB

Download
memory/3056-2-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download
memory/3056-72-0x000001AAEBB20000-0x000001AAEBB32000-memory.dmp

Filesize
72KB

Download
memory/3056-0-0x00007FF81F5B3000-0x00007FF81F5B5000-memory.dmp

Filesize
8KB

Download
memory/3056-34-0x000001AAEBAD0000-0x000001AAEBB20000-memory.dmp

Filesize
320KB

Download
memory/4856-15-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download
memory/4856-3-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download
memory/4856-9-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download
memory/4856-14-0x0000026A4C590000-0x0000026A4C5B2000-memory.dmp

Filesize
136KB

Download
memory/4856-18-0x00007FF81F5B0000-0x00007FF820071000-memory.dmp

Filesize
10.8MB

Download