silverrat | c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f

Resubmissions

02/02/2025, 22:25

250202-2b8b9asmhr 10

02/02/2025, 19:11

250202-xwd7pavmh1 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silly.exe
Size

45KB
MD5

1cf8d6e0acaa084d9b4201f11a1a04a8
SHA1

7cc576ff7a096e14a6e83836bfd3cd29f7164392
SHA256

c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
SHA512

de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a
SSDEEP

768:iqzAMCV2799XtzcyyMjtjRULQD9PpnUz1QB6S9RVvr0/bE:iqzAM8qfzcMjGsD9K1QoyRVA/bE

Score

10^/10

silverrat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

if-eventually.gl.at.ply.gg:17094

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335679503938355221/lGcOUDspps04wapqxq013W8uYGPSCcmnxl9Q1xnWdBn45Ul8QBT-Qs2mjsdVNXfOtTCe
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2348	attrib.exe
2296	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	Silly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\""	Silly.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	discord.com
15	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1292	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133830088099914880"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4174397412-4125106315-2776226590-1000\{E7FDC8EA-A5F3-455E-8293-50044CBF66F3}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
4940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
3020	Silly.exe
2116	powershell.exe
2116	powershell.exe
2240	$77Runtime Broker.exe
3680	chrome.exe
3680	chrome.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe
2240	$77Runtime Broker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4652	vssvc.exe
Token: SeRestorePrivilege	4652	vssvc.exe
Token: SeAuditPrivilege	4652	vssvc.exe
Token: SeDebugPrivilege	3020	Silly.exe
Token: SeDebugPrivilege	2240	$77Runtime Broker.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2348	3020	Silly.exe	89
PID 3020 wrote to memory of 2348	3020	Silly.exe	89
PID 3020 wrote to memory of 2296	3020	Silly.exe	91
PID 3020 wrote to memory of 2296	3020	Silly.exe	91
PID 3020 wrote to memory of 4916	3020	Silly.exe	93
PID 3020 wrote to memory of 4916	3020	Silly.exe	93
PID 4916 wrote to memory of 1292	4916	cmd.exe	95
PID 4916 wrote to memory of 1292	4916	cmd.exe	95
PID 4916 wrote to memory of 2240	4916	cmd.exe	96
PID 4916 wrote to memory of 2240	4916	cmd.exe	96
PID 2240 wrote to memory of 464	2240	$77Runtime Broker.exe	98
PID 2240 wrote to memory of 464	2240	$77Runtime Broker.exe	98
PID 2240 wrote to memory of 760	2240	$77Runtime Broker.exe	100
PID 2240 wrote to memory of 760	2240	$77Runtime Broker.exe	100
PID 2240 wrote to memory of 4728	2240	$77Runtime Broker.exe	102
PID 2240 wrote to memory of 4728	2240	$77Runtime Broker.exe	102
PID 2240 wrote to memory of 2116	2240	$77Runtime Broker.exe	104
PID 2240 wrote to memory of 2116	2240	$77Runtime Broker.exe	104
PID 2240 wrote to memory of 4940	2240	$77Runtime Broker.exe	105
PID 2240 wrote to memory of 4940	2240	$77Runtime Broker.exe	105
PID 3680 wrote to memory of 4336	3680	chrome.exe	114
PID 3680 wrote to memory of 4336	3680	chrome.exe	114
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 3452	3680	chrome.exe	115
PID 3680 wrote to memory of 5076	3680	chrome.exe	116
PID 3680 wrote to memory of 5076	3680	chrome.exe	116
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117
PID 3680 wrote to memory of 4632	3680	chrome.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2348	attrib.exe
2296	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Silly.exe
"C:\Users\Admin\AppData\Local\Temp\Silly.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2348
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8AA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:464
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:760
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc71d5cc40,0x7ffc71d5cc4c,0x7ffc71d5cc58
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1584,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5220,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4728,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3452,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3424,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5172,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5252,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5272,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=240,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3212,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3408,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5224,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4672,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4644,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5416,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5668,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5672,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5844,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5832,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5872,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5312,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6328,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6332,i,14238525614313756462,4766013302416032509,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:4136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\92806677-c65f-4873-9633-6b10f69a222e.tmp

Filesize
124KB

MD5
ff026ef1a59be3ea36f773dd679750ee

SHA1
50fad3adc3b9f902532d519aedad14a18a2e9127

SHA256
87d6a82d761da11be9d3b5232c49241b10f73f0c4809c43d9d73ab8b4d646d9f

SHA512
57c75f8ca8360edf526d199394916671cf0d6b2c4966312dfebf7d324eb6aa09f2913fc3163d36a2e2d0302655a84cf9a32decbf80da1c56e2225c8fcb2fe340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
20KB

MD5
575407605d22ce25fe1ac19f68564053

SHA1
8a7cc7704f65d85e4946a5a1388b71f89f7958bc

SHA256
49d118ae21d75029f5ccb48e91bffceeae6bfedd953e97df800736dad88b1043

SHA512
a6c9ae80d4db6a5746244a4b7d80f7132d109de6541f06e98523380a8269b78370ecb465cff157f953bb31e061e2407d29f995818ae0956542bcd8f9f9e5546d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
026a1e03c94277b58ad412cca6ddd225

SHA1
e3b36b573f6a9fed58bea794d6f2cc8c50f4f91e

SHA256
57bfee89e607fecba7e07ee1734f420bd809a6d3c9e5ac495255b249bbd3353b

SHA512
1eb79e176d6fdc151d96daa1e409e80bf416a4c2bf2ba96d98569450dab28bdd69545c32114c88bbeb7bfbbafa27f1c81ca518945ff7437e0120ab57e5764099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
393dc6bbc10a14ce005d8e6309b41b30

SHA1
b52ed318e8efb426a322a8238eff515a4a610386

SHA256
1938c484a9d70e28a286c0d52514938e5e17d806f70c4f6f59abde9e08ddb58b

SHA512
d950576c7ee2924826fefd0627cdf03010251cb086e325265a73df6ae18ef3a1547f216688ed9038f07166c7b6214971da56012a2cd146203ed9dc0548822705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
d20779b73c3924682e8cc97e55322f03

SHA1
35215194915d0def170cb6d1a1d8708b2821a034

SHA256
86210484b196868bb6b1912b8cf7659965cfcf3521f1c9c228ff8940274ae631

SHA512
48cbd610fd56ea07bbb33844c9c9b175750dda98a9053ea0652e26baa7c30c0b0c7c5743f42328139baee71e03d658f5a026ddb3e83d7f3ce99118d3e098daf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8195b936cd663a1ce1679c7bcfb23f18

SHA1
4ca46c21fef6ee5df44f720b37395816e2e2f592

SHA256
d7f33dc7aa5ec511e85fafd18a3307ca29d1fd9ce565a003146e4d2cc27d3dc0

SHA512
00a6554a053e629724a3afdf7c7f6b5f5a513d7de1d5d42790dc91064a6b9c4778d5d9f156b0a659a4242158d7ae2fe9086e4647056218466855b83ae586cf9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c1e289247eb51624b01ba264243beb86

SHA1
3813c8f4970e545a74780a0c51b6d168bde9c3e7

SHA256
28bb906be2d0f0d19bd45150209b1797b09e16c0f3f1f80778761d0e8958b009

SHA512
17d148ea08ca850537aca0cd36cb4f33a6a5c4ac78548f23d8a2b0853b26b88a77f0303298eebb33eaa4106866ff542c216987b5106f21398285d4ac521e2d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ccf81d23a14e07e8f7016f54ace0112

SHA1
bd1bfea702d88b2ac29afe1504ddbee844f98596

SHA256
34fe0449231baeedffe95ae28b83daee0d3101f7585b35c7adac12f89f2a758a

SHA512
8777ec6e511453ee3996f4af5b92151df3688f167c8199a71d0e7955aac4332e1e0fc4d24f20e2d0a55499cadb57d07f248bcbf39e809be279b79c77cde2a49e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
860e9eb873ff2ba8dd51f24709533097

SHA1
9dfe2767738f6c4e72bf800fb274cc50b51bab80

SHA256
9bf03be719311ad08b7f067e2083b2679f2b22d17ce3d9af6d5552281cf24187

SHA512
b20392a2909f4b4298a1d17d3d1177a44670ccb5b214f60984fd0b48cb23eab9c6adc06e703d68d8c4e713e0d1cc56fb705c87bb16f22fba1f7d95d57aff52aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fae447c61b9a50eee603c95b93e89664

SHA1
f279d7c9d82a3b1cf61a94146d08fbd4dce7d17e

SHA256
93bd97ebcdbbe118248bcfb69b153b1b90fa73c282fb369dd3da6363505d5291

SHA512
c2bd2a76abcb4ecf1d97ab8d49383eff91fe058c3c62848f6775fb1d1a59b0e1446ce0a01580183de051188a68c0888ce74d48dbe53929fd94a65d790c1a410f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e4a19ee58dc9a458713e244d8b601009

SHA1
6b2012fa4685966c5536d59eaa6ee02f3842cc48

SHA256
4d6bdbbb8fb24a000e67e94976944752c4e6a5c90e5f3dceb6299f813a894d73

SHA512
f52b705979dc7ef747d8996cad96623e4a1ed44ce3432ce4ee12b11e246631a138a4c1bbde4a0055428c9dc0d184d5633ed4c05e8a386f86fe76e50a68825b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aded1e98bea7b2f5d6f9ed229dd3ad13

SHA1
686df7634812daae04454da51bdad5d02501ce7f

SHA256
a5a7d3fdc3f5732ee1e482be8fba7c3820a49b63505e4e45dc853f85eb369e2c

SHA512
0352be328759b4a21abb6bdfe8cafa8ad9f4b350d7bdb58aa41f25548bdf4aafcca7fd1c4867b546c3cd59f1a2c743970c341494419a8b586dc0c1d45d3d8bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
514e95c03a8cf7a2c1ae43ffa06ed333

SHA1
0057db3a055ca7aae6eeac066bd63da28f2d2824

SHA256
e909f092d562cb892ae7bda15f915283f230c563a83266bdff5a3ad92f5bbf1b

SHA512
f2972e56b16e0444327e2584d750d7260706d3029efcd704ba37514a4a0121c40ab5bb486ff8f89316d95450a65b25047ae2c62432a394cf07a9d50e312880ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7d052a05caa74e9ae1d3ff1a541bf31

SHA1
4a327db829322cb146fb033f254c27bdea31ec47

SHA256
63ebf78c7f5c9439896fb47071fcbe4f50e03edbd355fe47528f8c849a7e5ce5

SHA512
0d92c0dfe68a09b623c2eefd30dac88c695ea8e14119699b00bc934f5a9197272948f613e1e305613a56b984bdad3e8bff6d94ad9526926f881a5ca1c0db32a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c7efbe4d61f1e97fa773195d0b338d79

SHA1
583543c3196c5e5c10f17fd50f20689fd891b5b9

SHA256
52364d5965929be4bf9fef9409493d5c316610972f219695d7cd0aac7ff8cd67

SHA512
cea56f9e86a183b0a40ffc03eb9ae5e3dc4a4a499d39b0b92c40312a4df5f8da2453067a75f90b17bdc5203fdbf8d9a7307303c8c22313887b1323bdbce45820

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
84B

MD5
bd74cdf4452850c0fe50011d9d0efb14

SHA1
db00fe010edcf1f5b43255f1652b14b83325fb75

SHA256
19428ee17f5ecd4ad24d7e3d3060acc1259e2bfa5e082ba01de7d35122a804e0

SHA512
2a7f6754eddf6cc3a668d6b5741a1f6c095323f5e78452d7ff16eeb0735f6308d655ebb80ed4fa773a692af0cd646f506d7d00b8e106bc9cbcb538fed099cb00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe59406a.TMP

Filesize
148B

MD5
40505efdabd5bc3a996eb239e8f06ef9

SHA1
8b0b4ad32520c3097496326a8c93e17dc06eef77

SHA256
2c532ccb120a57d130b913f3990c9a56079508a6259ad9706fb645576087dc64

SHA512
d7fc2df1ca2e83a27e25ec296ff232993d338e9c8b95c82f701d2c3498d8690493c234bbca51493c5558df754860935aa249b40188f8dd359356d26d8f73a267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
e5dc3d745d6ab1c003da9789f12b8c7a

SHA1
6b72f5315640a227e1fa1c2762614ceb0987e9b0

SHA256
8a8678f8d1548054994dc9b64a7232aee6529bd6565bf098c2d50d4cba6ee746

SHA512
6a2c7caa034271e10236ee7b31fad87bbf4a33b3c08ff790469fb66c3d414f2082e9187389926808264fda33ada1d5e71a2d152d96e861c940bce1e5a5245e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
6d85c33b125f7ae03939738a8e22c1ee

SHA1
eb8498a347efadabbba6ef83e7342bfe504ad222

SHA256
03beaa4015a44a4f768d903d06567a4a66c58f20915a8d08d9a891f3f399556f

SHA512
f044013050413ecd9c5a5cadac42179ca5605dbd8258f0d27b55d63a5955ba8b58d0ea2891df6cac9d5284c7728503f93e833bd77efd34a53031dff75a444293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
3c3d60184460faf5d9df27b88dd94bcc

SHA1
f8f12d64f666ba9282d6a825e36594db047caee9

SHA256
6795aa8d5153a69f2e9ffcc5f6f110920e821478961cf20e9bbf4eda43f238d8

SHA512
c85427ebd12ad36a8a87dc0f58610a8a765ca3f518016fa8edc82fb822eba16e4e0a9f655e4aa6bf71aadb885e45f703f4912728dd69f0c8adf9fba1f72031ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
275KB

MD5
37e0add8219af5f1c6020b518ed6762a

SHA1
2b93215a8c89ae4f06627e879f183ec49e644fcc

SHA256
56fc0f99c029560e49ec6c44975e6f7c29bb00241994c153a5e82e3f5a68a09e

SHA512
8b88c784bed825c19ae6b8aad813b732bc005299d6966a9954bcb990873c969c4ef166c5949062776c25f64a31cfdc9a91730cca0a92bb40207b76b2ff4d693f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4yudmr2.ktv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8AA.tmp.bat

Filesize
197B

MD5
05683a3e33434da16dbfc4e664d9b8d0

SHA1
6805764ca1066955f361ef850100517478448e99

SHA256
0faaa464fe74e2152de6f89d94b9d94d92bfce36979731edc68c77198a90929c

SHA512
9c08a9d7c37420cddd7f8dea3e784b4b1306f90f31afae211d7a222ee9a798aea9618c07b607885a3522ce5cf467ece5b7722f4cf5554bf270a098aacf8ec2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

Filesize
45KB

MD5
1cf8d6e0acaa084d9b4201f11a1a04a8

SHA1
7cc576ff7a096e14a6e83836bfd3cd29f7164392

SHA256
c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f

SHA512
de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a

Download Submit
memory/2116-16-0x000001C22F480000-0x000001C22F4A2000-memory.dmp

Filesize
136KB

Download
memory/3020-10-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/3020-0-0x00007FFC774A3000-0x00007FFC774A5000-memory.dmp

Filesize
8KB

Download
memory/3020-4-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/3020-3-0x00007FFC774A3000-0x00007FFC774A5000-memory.dmp

Filesize
8KB

Download
memory/3020-2-0x00007FFC774A0000-0x00007FFC77F61000-memory.dmp

Filesize
10.8MB

Download
memory/3020-1-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download