umbral | hxxps://oxy[.]st/d/Myci

Analysis

max time kernel
108s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.st/d/Myci

Score

10^/10

umbral credential_access discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/5900-404-0x0000019EFA420000-0x0000019EFA460000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
2956	powershell.exe
456	powershell.exe
5676	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Tweaks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
439	discord.com
440	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
435	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FilterKeysSetter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2236	cmd.exe
5664	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
420	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693875372208769"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5664	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4500	chrome.exe
4500	chrome.exe
5900	Tweaks.exe
5900	Tweaks.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
5676	powershell.exe
5676	powershell.exe
5676	powershell.exe
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 46 IoCs

pid	Process
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe
Token: SeShutdownPrivilege	4500	chrome.exe
Token: SeCreatePagefilePrivilege	4500	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe
4500	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4976	FilterKeysSetter.exe
4976	FilterKeysSetter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4796	4500	chrome.exe	91
PID 4500 wrote to memory of 4796	4500	chrome.exe	91
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 884	4500	chrome.exe	92
PID 4500 wrote to memory of 4852	4500	chrome.exe	93
PID 4500 wrote to memory of 4852	4500	chrome.exe	93
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94
PID 4500 wrote to memory of 808	4500	chrome.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5804	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.st/d/Myci
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdce3ccc40,0x7ffdce3ccc4c,0x7ffdce3ccc58
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4440,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3200,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4336,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4976,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4464,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3868,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5428,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5560,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5728,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5892,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5552,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6156,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6292,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6436,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5900,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6388,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5876,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6400,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4112,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5244,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6304,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5312,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6848,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5340,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5444,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7084,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6616,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6888,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=6936,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6924,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6996,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6220,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6908,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=5540,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=5616,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=6648,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6312,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6248,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=4724,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=5020,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=4624,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6004,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=5912,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7296,i,1436738186441524326,847236043121278296,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:5880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5260

C:\Users\Admin\Downloads\kaaka\Tweaks.exe
"C:\Users\Admin\Downloads\kaaka\Tweaks.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:5900
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5132
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\kaaka\Tweaks.exe"
  2⤵
  - Views/modifies file attributes
  PID:5804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\kaaka\Tweaks.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:1304
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5136
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:420
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\kaaka\Tweaks.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2236
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5664

C:\Users\Admin\Downloads\kaaka\FilterKeysSetter.exe
"C:\Users\Admin\Downloads\kaaka\FilterKeysSetter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ec21956526d0a602e75d942aeff94b56

SHA1
8727e241bc280e7ec477c9140f1bca83f1ee9591

SHA256
6d0d0cafa3a6c239329f99c7b989fce65d96c9d4d40f7ce69a41dc9974bbd1fa

SHA512
3ec4082d7a9bfe4477b756cf15412a9c052907e70283495f31ec1779d7e2bd6135f873de57978166eccd6018a1850a1c628d908600b9a39a5b61a6abe139cc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e520368d7d1e44c00cb630663537c376

SHA1
cf175dbc7e3fb21cb7dde7b5ee11638931a93a13

SHA256
b9a3afe860d2e15f13a73810d73d328aa8ac9c7a80683d954efc1146be831de2

SHA512
f9ad126c208a77ca10075bf50f4c4876e3b994fce535275253ec2304a9dd1529a8ffa5861fc8e49dd5689b9920c9eac83d94f96181f73f43cd8774c01de34526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
cbaa0ab74d476053b391fd101faed169

SHA1
aec35b91e67d448ced04049b92efca3040ca4a5e

SHA256
0750c2dfed637b26b8b5b07ab51c57e64fcbe0efeba6f9fbfb2ccdedba5620df

SHA512
f750b439b26f2d40d7466042897da804fc9554baa4063ddd3313d4354c3a5a992e16fe605d92b7b3f4260a2dd4d781aea507210b8e35ea2484b156aba3bf3cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3c00321d2422ec55bced3f7a7e563d54

SHA1
3f94ac74e125e1b9463c38cfe94f1c42ade4eec2

SHA256
3b1454e156f5eec94e11580f3d6c1164d6648b5ac433d5f53b52bc85c77f5a45

SHA512
146813b042fd4c29f0fdccdca45ea3675d908dd31dffde5ab6a1083238567d350fd59c29ad0a047243a666afb55684bf110c5aa5cfe5e5cc99550bb24cec1697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
4f6e158f08be1cc9a9e743ce406c3516

SHA1
e4a8adcb61b39a52e3a156f5ff3167559a4446e5

SHA256
1755e489768def5e978081de740eeb98f9341bc5f326a73b517e5a9f4d6b686e

SHA512
d34d986788c7d849a46ea8399dcadbe1ffa06db3b75db0ab2cfe193ce29c684838fb4668bf1086a73fa1cec115cad235380473019d5e895558d9372304aa65ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
cbb959b2ec542e240784189e3e64c0da

SHA1
82331162698dc590b6281284c00d42ff74464f3c

SHA256
ca1c52cb1883fb30cb13629894c21310eb1da05bc48176296b53e8c3371f3309

SHA512
1a746ca13108ac39d6f208770a07fb0e3a2daaa99895eeee87923252a0eb967a6e6201baa7c21124e3482a5b3ef9050712190cc6094ccc4aeffead06309360e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6e39f42d1231932472d9bb6f95fa31e6

SHA1
43224cf61cd12fba2a39dfaebc27114334a12e02

SHA256
5b50306f3c262db904b481829c97f50583ba3f6f8ff6ca4e6e4946bff5ce3049

SHA512
6aab4c2e1163299a402e95c2a968a604a0e3585d82f2e7829806f439a414ce22bcdf036eadd526059987a0edf760f49898dc82e7eccb235bc239a7e8f036c70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
b3489734f9159d2a851ea9fb58cb2e58

SHA1
2d106ae5e2b2d918eb9c762015db05f3b215c5db

SHA256
7687da922eab5861ce1d1f4c4aa38f4619381616d15bbb69a5a2bfb8c18ec22c

SHA512
fc4d5d72b4e87d674bdf4054ab35e78048522df5a35011dbc6f5b2dee03403626c3cf4a928234de0ec8092bb3a01198293ec2a1545f30fafd9dedb64223b3a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
03e95e63b7e99bf5eaa6e25f38d45624

SHA1
00bd71ec9b4e96695f86668d842094a5a7320995

SHA256
3a7d165cd1f02eb33a2edca1fdd0cc069069869ad870ed844a3c86a545be358c

SHA512
4b9a98a99f2555aa8387c0028c2a165fde65d74282a7b50f6361a6fe2a7ca7d10402b9b3b09bd0be2bf7c09f0ecad3d8cfc46f9babeb83fcaf36c91b7864c09b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
3428b80720020a94e7a176eb6c45fe8d

SHA1
ed33cf15cce6d841652959e2ba85f451bcc00c6d

SHA256
90b6bcb0c1bf317b3b184b63ae00991e8c969fe44252bfb02f8ead1dcf6a70b7

SHA512
1e48af25f889cd7f13546890f66ef9f9898a6d958c93d8eaf2af0152263ba9c4a3acfeb15288a6ce76ba5841f85af5229f54087c1250ec5f178ef85f3935e8cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
50728e9c5d534498abacbe5f931010ba

SHA1
6bbdf96ef3abba1f610d5324fd6cb0038b898ccb

SHA256
0bd311352c477683782303b2fd7ec3af896f18aacb5c7ecb30e1c8573d6210c8

SHA512
7ab2c9be7044894388de23fd6ff5c6a37124d0ac01c3f6ec4cf842b72047d7d94528b9d3ebb3663fb1c25551853971626c7fe7bc2bdf569e5a882fa84609909b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7792d631bd8626872715c32bf13f0312

SHA1
861834eb38ff898d88f3560eeccf5779ceeb793c

SHA256
45503528604d60f3516dd0a2e86efc307b196ebc3f0242e56124fc813efba0ae

SHA512
5bc216360ce5451dc04540e983ec7370f695cbebf8fa058043e9e724eeae112e3e0746c9a863785d3c92edb8da6cba5876cdb8ad902dbe35d7a5e201daafffac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
27d3a87156b92aa33df1a7cd4489d4fe

SHA1
781be84eacb6a706e626ffd300475249869c4b5e

SHA256
29807b0f04ae130972628d2722e4df5a0133bd15305bb6c88035359d97cd99c9

SHA512
d9cc3e9ffddfa9dd8a509c8ea4ece29ba0d21bb290814978b8afaedc984afc1b16c477d6ce10fd45d8ed7b8302424e50d4d4b6b856736be2f9851b914cbb5124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2aa1017fa0db89e9fbbdf35f963e44a

SHA1
d9e905f582408e130ae165b8724e29c851a305f6

SHA256
abcd49cfb2eef521ec07be1f97e56d58cbb1d2abf275e2a3581bef1e5ef05cd9

SHA512
68a6ae0b7d0cc053ca8e707194d411201db8a5e661da1b03786d3e322e1204d2c55c847d99e2d27478b42564dcbb92330cbb589b14d9c4b7d32b6a4f89e53050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
73c2dd9721677813d00ff77bfec478d7

SHA1
5687f56b26cea85b088d6317de4b448c0a327bc1

SHA256
d1216f85d11ab6291466d5ff2fd28455a5453284cd611ca9f97f0e5bc5119092

SHA512
94d8bfdd47a3b34774dbcb5c8c29ee4e1e4761edf28303e16d502454f5bcd9d410c91bda818670b914e70be0c30c9f8d668a5d9b1b6ebb4c95444eee9467561a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbc48ba1f473ca5240045d02eb449e0d

SHA1
3e7b29ed708ea44d1607bbcaa1fd5a8ee208ac29

SHA256
3b8651e17d207160839824209ab8bb103bbf2bd86b8eccf1ee610bd790723889

SHA512
29658e2002096a46cd7f73a8b71c50707ef0c7813a60896c54f6641f268b7bf2057abcf4dab55e562505387c20995c03c0756911da8588717a934be70d9646fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9b4bb8318b2fe9372bca83dc41eb840

SHA1
d60bc7e0e0baa71a46c381036c305b00b671cc6e

SHA256
a16f0af6562edf1abf3099df33e5c1d6c38f530d44f83b736cd3002559a46c77

SHA512
c6a75afdb43fcde20c00a8cc9e4987730eef94fa4a344969e688b561426b4c60eda5b1f43eafd193cf8939a9da912ef5b2eb68d637d6c4bd773ab6fe13a010a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b35bc2dbd95c839de6b51940360a5be4

SHA1
ae0768fab67828896211d5ed85defe593bd73f15

SHA256
d5a56737e0ef2758279c98649516292ca540a953fe503082ae96d4dd319a529a

SHA512
a195d1f059bc6b3d244005acdbd08edc46462876063918a7bf18bf2cefac7842db8faa10d70635d01a46285de3531c4eb7729369e7501aa6da1057d3c544697e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
378e1d25271bee465f88b451ed875cdd

SHA1
89fbd9fd150c22670efd57a7daeffdd9b8a7209d

SHA256
3fa9c271c4d8cb2cf59afb201404b037e2322a23a655461595a1f7c14a4def81

SHA512
f87ac2035d2db30d9a8d5ff92ca9cc9af901112560c1311d47a3876aeb3b0187c10f91bb329074b159b46b0d4e2a0ea75eec7e4384cbb294f4fd8130116ff01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
47aec0ae6e0dfab5f91c35cd65d2c56a

SHA1
0bbe13618bdc0c402539cdfca81471aa501f5cad

SHA256
8f31385012b247db2cc50ecb164208fbbf5f8cdf7bfc951e8c2c8ad5fb04cf0b

SHA512
c4b7184a85c1d594012ba86390e651439d6cae63c76b94432faaaea410e4ef9bc62d88e68adf8f3abbe36e18ef9e4dc46c3e31a0d72089f98a22f04c8b4a8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vdyt1lfn.dj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\TweaksFPS.zip

Filesize
226KB

MD5
f4e1a11343c91d5ea9e29d2648223682

SHA1
74fc3abb3cd9aac497fa71a236bb96431ad2a3b2

SHA256
d74cb76c2e67919c875fd41ab765ec5970ebdde94f13897d0893131d577a4067

SHA512
c9c5ef23025eb7532c0fe1715abcbe6a03b39d37b133df125365b99aa850f7bfe4a84445a38e33ee26f409e6fac0adec62af671b7f54fdfb576b9650bacae106

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2468-411-0x000001F855CF0000-0x000001F855D12000-memory.dmp

Filesize
136KB

Download
memory/5900-435-0x0000019EFCC60000-0x0000019EFCCB0000-memory.dmp

Filesize
320KB

Download
memory/5900-433-0x0000019EFC3A0000-0x0000019EFC416000-memory.dmp

Filesize
472KB

Download
memory/5900-437-0x0000019EFC1C0000-0x0000019EFC1DE000-memory.dmp

Filesize
120KB

Download
memory/5900-467-0x0000019EFC210000-0x0000019EFC21A000-memory.dmp

Filesize
40KB

Download
memory/5900-468-0x0000019EFC420000-0x0000019EFC432000-memory.dmp

Filesize
72KB

Download
memory/5900-405-0x00007FFDB8FF0000-0x00007FFDB9AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5900-486-0x00007FFDB8FF0000-0x00007FFDB9AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5900-404-0x0000019EFA420000-0x0000019EFA460000-memory.dmp

Filesize
256KB

Download
memory/5900-403-0x00007FFDB8FF3000-0x00007FFDB8FF5000-memory.dmp

Filesize
8KB

Download