silverrat | 734134e80c40901117ef9f60a32a59c665b248cd1424c7ffdf5c38048fb386c0

Analysis

max time kernel
899s
max time network
894s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
11/04/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zenith Paid (free)/Zenith.exe
Size

253KB
MD5

a3f5ca99bab4cd1278c4ba236e2ebdc0
SHA1

39140ab5086d55fda03bbaf10f5d21f12b8cbb65
SHA256

9489fa54b4d4b8445967acdd0c82f5bde71d5fc7176e29cba1a0e489e14e2260
SHA512

a3a608f2e51fd4065662579b6f2b20046600e90385375425de62e3436478864b6d0b81862a0172322fc8947886ac3e7358914cb9ae6ed40b22c45c2100c0e10d
SSDEEP

3072:uPmKPpGI/9d9tsOJJP3TrIp3LLffmqdWnX/7v:Z0/9dJJJ/Tr0bCiWXL

Score

10^/10

silverrat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

primary-spencer.gl.at.ply.gg:44605

Mutex

SilverMutex_THTKnubHYs

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1360028237673271410/L71d1vKuqVi0a8hRaNkZVq16u74QldOvKu2ka_rmGztXjyZ_2kCjg6qcKhW8ADujYXyZ
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
eG90dHZtYlpmaWpZd1FZQ2l3b2N4TURvUWZSYkxS
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
PwsFwyulCMo6APH+AHSxvFJ5Sh1NCPDclAC0Rad1OYF1TVa6KVvqaOPlEYIR2tcrD0uLpS3MYaA+J/JrgifE4UvnMghukhnlrrNe6LK4S6PYn3T+ysqaJE8OWIAtSMipFU6SIYVOGBqpZb2JEvjNk3c0n358BbxsroFUGY0k5PtWap2ymVwA0MSYcZujbe0FNZ/BHcKzjGiv+9Yb1m0KZJQ6JU8E9eBlVeJSLOMluNvRNerLrrfG/ft62MFDVlCgeKLY9ISd7cE2Z6eTzgmG/oMfkTrdvzvFJQ4frklKfdA+/TrNa1PK2n7txPzA130BAOCY/lmeEKTfYC7COtfsTYGXHcR7eXivgeZIhq4hoQnNgbdV9JP1d+mYaFKLqAX/JkP+wgXcEHTUTkyfnUXp3nzGMHxK+/dD3938GBulI0+JKJaq1ryX+lIg+Khh2WfBm7IQ5kYt1C7A6j7/FNY8aLcTM+1XEKGOq9I+eUSCAFPKkd9Or8HMU4Q3rtvyaqaSPTJHVEtBNUtFDUi6bbCUm/JneGvaKjrngZ1Wg0mx3JfVv144FOmoYrHZ/IhnWWthuZ6lE5UoYn2SRwg8o4WhNNX784I5I8MqfYuUD5tbh2TUd1xlXdPs4EQAZJVMCqMQkajQFyhdNGmR/u3RdnUpXi2V3qBUlVqteTpzms0A7VA=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1836	attrib.exe
2152	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
5928	$77runtimebroker.exe.exe
5312	$77runtimebroker.exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\wininit.exe\\$77runtimebroker.exe.exe\""	Zenith.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	discord.com
16	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2736	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
3776	Zenith.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe
5928	$77runtimebroker.exe.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	Zenith.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeDebugPrivilege	5928	$77runtimebroker.exe.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5928	$77runtimebroker.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 1836	3776	Zenith.exe	78
PID 3776 wrote to memory of 1836	3776	Zenith.exe	78
PID 3776 wrote to memory of 2152	3776	Zenith.exe	80
PID 3776 wrote to memory of 2152	3776	Zenith.exe	80
PID 4152 wrote to memory of 2356	4152	chrome.exe	85
PID 4152 wrote to memory of 2356	4152	chrome.exe	85
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4808	4152	chrome.exe	86
PID 4152 wrote to memory of 4908	4152	chrome.exe	87
PID 4152 wrote to memory of 4908	4152	chrome.exe	87
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88
PID 4152 wrote to memory of 4900	4152	chrome.exe	88

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1836	attrib.exe
2152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Zenith Paid (free)\Zenith.exe
"C:\Users\Admin\AppData\Local\Temp\Zenith Paid (free)\Zenith.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\wininit.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1836
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB4F.tmp.bat""
  2⤵
  PID:2952
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
    "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8215dcf8,0x7ffc8215dd04,0x7ffc8215dd10
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2032,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2236 /prefetch:11
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2248 /prefetch:13
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4216 /prefetch:9
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5304,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5316 /prefetch:14
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5504 /prefetch:14
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5548,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3652 /prefetch:14
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3424 /prefetch:14
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5716 /prefetch:14
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1132,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4332 /prefetch:10
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4520,i,4886339193482896553,4817480667963550244,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4332 /prefetch:14
  2⤵
  PID:1420

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
1⤵
PID:2060
- C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
  C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
34ced33bc6c9edbc9c430daeb1104a08

SHA1
c377d485e4693e01ae8c39c83588b09c9d30b61b

SHA256
9205cd19215e298fc53ae1941816486c2d0d35b10f51c9eb934cda9afd8dd301

SHA512
2927add32236a83cb845ca8d159532b8cff80be6c8885a7a121d2750d94c449c46423fde5cfcfcec92b1f09ce895ab8b0bd5ccc89b5e660a0099c71bf46fce1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a340abdd9a7ed5fe37335d0d30fc014f

SHA1
aa41be2072e2a23e046efb7433f1eb555a08bf41

SHA256
420455e000473772650596b53405120d1fe201ec28d403b31819a479b6e122cf

SHA512
c802ca553ac288a5364656b4b5c0641763e875af3559b2362380c497f67ad9d7fbc2e134776e48e156e0ff3f14f96f870b13b121bee28f8e212b88e317e3428b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
8a7fd29d8814651516f958038c8bb0f2

SHA1
c6fb1b5996fbec539191274247b4d036aa78619f

SHA256
dcbc1817cc18a057239a66f230b8624553b6d4ddf00ba888df822c9e42bef548

SHA512
fd0ece05a68413e1f58fc0ee24ffe20765050e8844b4b5fbb81ee5e0794c0616138ac420ad207b0628b0e2f95321478e11a72ee164abbf24e54e716ec0cbe82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c44fa9047e04fa0d31a3b0520ec4e0ce

SHA1
a7893b6cd3071c00422ff911aec4ecdcb1abcf2a

SHA256
cf87ec5ca8c1714e225bf0eaf2b6af3887a1dfc1693105088c54154efabe9752

SHA512
d54a078789956059f2c5f1c0d570fca56f760624cd55ad33538e29196be96955c3db7b3d22ab6178c6f2f2d5955aa70de4bc36a8b95922278b4f1758a1f470c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
43a1269f0576696b0f6e328c90db219d

SHA1
eda76827f2685c4efea6fb6ed6c0e9ee48cbd075

SHA256
61a114bd321d7052ad03853ecfa99fde6409922313ee41e63c8e130d50476715

SHA512
79bbc5eb31b38cbd65fa9bfa93fae8bc5077cc8cf47577ec0f044a52dfd3e5db4cfb43308d0a8866a9d719c0084223c0448d2670fb8bb001f6857bd70c8222bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11969e8b0abcc81ced60f68dfdda63dd

SHA1
b86baa9a8531c3343f8803d93ddf8e002cde0230

SHA256
0e3e73bfecd71f519013ac596e3937d4b814c1274c071b58535e88fd00caec4b

SHA512
1af2334cfc48259050c1a543ba7e75ea4da202eedc28b1e7a672e3966bfa41625ff1c0335f1af3fc5380c37674eed21963647022419ca52f8e8707b2b71962ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
442892d8428b82962080a9aed3529724

SHA1
9ed04991b18767ce02509efbd153504c4ef5fdf1

SHA256
6b8792b2189b49ee4a4d18ca27e13df2e2cb1947b780bfb42756dffc7f19d92c

SHA512
559c2bb798fcebf781b827b081abc746c0a84637f0a7e3007bc7691a1b7417292043727bb01eb651c22f281811003ffc01d2591601812db48d28df2511dcfcfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e208376d-aee9-4032-9712-11ef4c45c942.tmp

Filesize
2KB

MD5
d345a47e28b454ccd848729b57fe3a0c

SHA1
aeef48f249686dc7fa8bd39aa4cfa87054ec9098

SHA256
82e02159bd355c70fe67c5c88b947776493ff57ba9e503fbe4d2fa8bff15d600

SHA512
f85368fc3e1886a06955116df8cfc1915c61613bef25e22b3db8f7cd56534aaf87f89705959eb95a42170368e432044ccb11f1d9a040688fbbdbc10990f2ccd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0a4591997a728f98c994b6a995b15725

SHA1
b34d49a4c3bdafaf1550700885238990e78545f1

SHA256
1198b80e6ae899536813d9b230fbf070dc5ba3fd80eb610a1583f19f11182872

SHA512
a7856cd20109bbbcc30ca94418619d0a38133612d96edfb5caa3f9747fbfed7ccc346856f9f0249e2cf38e682fa1473e8d39b7d8e66e844ade20a762bdf0ae8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40076a8a331114e96b726e8f54ccfb29

SHA1
eea8c6206c2d159ed142f661480d3f0f9ecf437d

SHA256
bcfbffeda079dab25c86b882c3bea2dfca75171860fc25e3db6037b88c26703e

SHA512
e88026de43478ea0844147ba968fea96ef38214fd472afeda44d7a74c10362e37083a5692c953dc5b98825ac66b516736bce7a822e87e33744c86b75b48387d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8c9542c31f4c1dcc4b109000feeac31

SHA1
ea33154bebeff0be5b67085ca7afcb2623732b00

SHA256
c1e5a1a7497a75f4e37d687053e338716c27eb5f2118242e19fba47740e629a5

SHA512
fafaac8b44974cbed112f79fb66b1fe8568b6c96dcb9062a22799c0a0db347715b18416d112604c40c7bd950efdf17720fd5ee3f2f28a000361fddbc2c768175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b577d164d5130cd7e9dea0b9a291a033

SHA1
f4d79b3dd52080e466ed0f62743322370b8be1d9

SHA256
47cacdd2f056bf703c08cc1261ec7cbd84c7d68166b3e56eac9b6657abace05f

SHA512
301704c6a5f6bbf375026dc69f0a1b131a76b0777c2cd3499fda22d4354301b47ffa330bfeb46d6d56a859352ca31b1624a4a218532ba2528b4976c2dfa076c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aa41cf978557919bbcce2bb0b9fc1264

SHA1
1ada6e96cd9152ce7a687aadef6765f2b9ddabbe

SHA256
01ef79e977911f1376f5d074c12ac4f4aabdbf09c0df06d327ff5128d3daf6dc

SHA512
36c4047c39ab504b90d37d1ac58d72e8b85066bbb383eb91b2f710d2183da4332d5ae24704e8e64483dee5f17d340f08a166f6068d1ab3df6dfafb42fe8f725a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3eebbd78cbc2c80643d1b8025511e34c

SHA1
870dd5e7120230f81d02cd923fef2a853f971108

SHA256
80aae18a06d3ccf965e2d2213d9cc47a392199d949aa76aba1c30f0c9bf0f668

SHA512
171465325ac5d785383cba2488a7d4832aae8e18019d80ceaac14290bc42fc52302473dc1f26d2abf7ac3587727e8b1e14c80bfc29b96b53842044031ae28ac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f4c0.TMP

Filesize
48B

MD5
5af51bacbf249b944d7e5b448f61a8d6

SHA1
079b5c2a832c5a501173ccf7b5bf0927517c20e6

SHA256
691f3257dc51624137be67a8be78f393a6f9f2546fa07f9dada68a84af51885c

SHA512
41d110755e1b32c655141e85974ccc960ffbb7d9ed35a5c4bb2ee7e04604780e89d0fb3ae7b27b131e9d9b8e10b14c394c8d21804537fa2918d641069fcbc61e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ff0239ec-c6b1-4aad-b06d-862dd5aa233b.tmp

Filesize
10KB

MD5
0d5f2927e06447e2da1b1ffb535a18c6

SHA1
588cf93467f30aae861b67b64422effb8df1da93

SHA256
497de4f49347623cb52fa55b771553978cf86a60a23a2c86a75af77a177ef4a1

SHA512
66b3c42cb11ed35c5e47c7d81a65369ec992b9a185180b1567bc4b3110a667c0fff9ce04d4f1e607cc158d3d36b808ad404eecda75b404e1fee916aa36621429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
57c5db85ca36429207b76b1c49c70f76

SHA1
24eeac27f8fc336229dcb9c8331fde9542881d42

SHA256
bf37d945b390bb9ebc8366a6f109a213e15a987ffa7c585e984adb0ea98b7e15

SHA512
b7c7d3458788c2b4cd19dd868e3bf41c6fb695fe687a660667a2bbe80bf09b4b0d6551e42c60bdcec54426636a433e10e6c944d66762eda938d0e1ace1214891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
525274bb3f5611b49b21a91f4c3958b1

SHA1
61e35f5cd806b10d1e3dac4a2b3796c10cf9c69d

SHA256
62e2784ed2580360d6d9e50bd2ddd856562ea657c80f2dc170b4245637efe7ef

SHA512
c3114d5dcf164f8806f523b56bdc90f1836daf8ef64e5f633327fa4c9916d2b9ba7957f821171fdf8a7c186c41b4c5f723f4acd7ecef452f520bfe4ab8d564c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
dfc7d493307a4c069d8594709f7b4d94

SHA1
d2a7bdbe0138fab473046deafbd697e645fa7e77

SHA256
9fcb169c5e15a2d1c84aa51badc391f385e97c1b989926838160648d0445006e

SHA512
062264830a5fa5dca7be3d3471eb8457bdd86e3fb62de02e20be7e8996087d30c31d68f006aa89a0169b6d56cab95fc766533b71f4e4ca2d7dc84ca83e9f1a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
d143396335c698d2e9ada819e6ddf2a1

SHA1
6933769956b0311cecdde26c642a597fe4ad4f8d

SHA256
1970b4e28e4f377d12e56dd76843d8f3d7ee25a1ce8c6102150af621f3d9038f

SHA512
39e0ee00b61d0f2bff23c6bc049e9c49e0847e5e57a44ce89f6697ed8e9fb2ab173f2e1d400f0ca7700bd85dd0f18d849f530ded5efaf892c8f88d3568b869c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ehxohce.dp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB4F.tmp.bat

Filesize
160B

MD5
d7204f009ddad478afc6a7ee4965ebfa

SHA1
a4d6e7a3e0d2a09a2c9c511c00502f940c4bd5d1

SHA256
6177c80da308454926da0d56a115edaff519e3c2240f7d8d09f3ec87f93030f8

SHA512
2d8f4efd5bb2df54d8a1274588c60e8d0c413256028cefcdd88cb27c784cef29b1e827483de33b6e988981b5fa212517a62f1bfbb91d9276e57d9deaf167fa33

Download Submit
C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe

Filesize
253KB

MD5
a3f5ca99bab4cd1278c4ba236e2ebdc0

SHA1
39140ab5086d55fda03bbaf10f5d21f12b8cbb65

SHA256
9489fa54b4d4b8445967acdd0c82f5bde71d5fc7176e29cba1a0e489e14e2260

SHA512
a3a608f2e51fd4065662579b6f2b20046600e90385375425de62e3436478864b6d0b81862a0172322fc8947886ac3e7358914cb9ae6ed40b22c45c2100c0e10d

Download Submit
memory/2820-83-0x00000248E8550000-0x00000248E8572000-memory.dmp

Filesize
136KB

Download
memory/3776-73-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3776-0-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

Filesize
8KB

Download
memory/3776-1-0x0000000000DB0000-0x0000000000DF4000-memory.dmp

Filesize
272KB

Download
memory/3776-19-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/3776-2-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download