Analysis Overview
SHA256
8d760423938a7e6e1c810a6138054850965844facb0f8cb2cc4378de140a5f23
Threat Level: Known bad
The file REDengine-5M-CRACKED was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Detects videocard installed
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 21:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 21:11
Reported
2024-06-28 21:13
Platform
win11-20240611-en
Max time kernel
56s
Max time network
57s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Downloads\loader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\loader.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640827353343026" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HjSLb.scr\:Zone.Identifier:$DATA | C:\Users\Admin\Downloads\loader.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\loader.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REDengine-5M-CRACKED
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd97d0ab58,0x7ffd97d0ab68,0x7ffd97d0ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1760 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4896 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\Downloads\loader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\loader.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| GB | 184.28.176.104:443 | tcp | |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| AU | 104.46.162.225:443 | browser.pipe.aria.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9b2ce9220cfda30432f277db6553fd25 |
| SHA1 | 98e43695093c2aa4ad9e4c962f81a3c5966d4df8 |
| SHA256 | 29c28936f92f223f33c4b53abc56837a76704ad774d9871e0b0cf067ce93e640 |
| SHA512 | 0ed378c0b11cc7ea6fc19d3195f651ee351822ade026a0780ccc2438e8ccd28f42b6dc0db73ec66b2236f203425a5d1fe4f64d2b99bc13df87e1ed70bb8cb05e |
\??\pipe\crashpad_1576_AWKHJFYYTQKHPFTP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d3200cb4014a6a60df272449b5708acf |
| SHA1 | c092985163670fbcd0958909d8f63fc381018f67 |
| SHA256 | a2b6837b49350385c6c7e1d0f30064946fb08f9e47eef1fe04f36beddc07e08f |
| SHA512 | c4411ddee8370b1dc4782899cde8d85d90893c5d9c684ee9675d6d3b88aad0dabdc60a897283f205a7d88682b4ed061c0b116b8c119a9507c5dc1fa658099a71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 76d0b76452757fcc56d5246f6096eca1 |
| SHA1 | 26d3ab7bfe7a4c74e849a773e425ce65359b0335 |
| SHA256 | b8d572fe5dda1579e65d8d40a68cac71e627fab7f31984a396dd3b40ccc802aa |
| SHA512 | 2dea0014a56cf8be0d172d6a732e199592de7be7c3757c0bd9ff1769893d30df1f83a6c350c3236d98b3fef24c3d7da5f46173221a32e79cee2ae2aad1ec985c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5e1d7b000a9b1fea695780ba4c308ef3 |
| SHA1 | eb828d300493774019d298171c50ae1edaa63e35 |
| SHA256 | 50c8fb8e7a7b71e2046f4e8b2f6fd2bcc13af6e58f8992872376341285a0528d |
| SHA512 | fcb0ece4e2d7fa369670b03a6ff5fbea14072da7d5876c1f00c94c48a29800810e9ca87e6d6243b6142b58645020fd48177d31ae798bbd5cf711e22a526afc81 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 769d8ebf0869b83e5f9db47d31c346cb |
| SHA1 | c2375b3133ce72c753b84e312db66edcf8f54d62 |
| SHA256 | 407f02f18ae7bc199b5cfa6808f8f0d2a0a2c93a351201b359a0ede828140c46 |
| SHA512 | bdaeb8bc04a6e6c36536719772a4726612474169e1d7030db2f48e01088f709b18dc0c0764ce84dadf325d37bfd5d458c692b021912047a1a089e3593bd2b351 |
C:\Users\Admin\Downloads\Unconfirmed 238373.crdownload
| MD5 | ce298bde4b5d1231f937e3c434275dc0 |
| SHA1 | 8dc7b79f0c7abd7c11fdddd6d102bcf5cf11e4f7 |
| SHA256 | 36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079 |
| SHA512 | 79ea7640fb1abc8ad4d36a28cbb342fc0be563f9fc5fc9ad07dd5ca3cde24f5d5c4d1d2c09f0bfb6e8206cef6bff9ebfd626d020527ad8e7754afc1fc2f0ea1a |
C:\Users\Admin\Downloads\loader.exe:Zone.Identifier
| MD5 | 0f38f299bb3b244724b2ad58850f1a07 |
| SHA1 | 15a0290f735c287fdbce81a39db484933aa11aac |
| SHA256 | 790b3d04b78932908bde04fc4817619966777d01710e49a6ec9cc399a228920c |
| SHA512 | fe7d5459351fda085051e3466e0d5120d03f97c6cd323bc7c8e899248256386c77a1042407c8211ffe4f48e808ed84a6c0401e77427910fb11cc82997107f43c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f5e5b5d3c9240907330fe02965bd7a5a |
| SHA1 | 4f2728a121476712daa5237b4596d24a84ba3edc |
| SHA256 | 15bc66fc9e4e3905a889e34daec2959fff8270f6cae47adcf047ffb285a99de2 |
| SHA512 | e4baa8732b77b94a551ed895902871f6ea4a2e3e35d8e2ba70477456e54ba0efb90c0c3932ae9cf0208b2b468b935ce435d3a55574a442d6d307902fe964a9ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e3347fde-0879-4123-a266-8f53bd3ef172.tmp
| MD5 | c0fec372d7413f3a8c4b49b772b123f8 |
| SHA1 | e5196807ed9886c37181fcf6d7c901c3a4238c03 |
| SHA256 | b9bbaf2a1e357d109d0ad4cba6779f0884199a7b644e02c594c05fc13852b79d |
| SHA512 | 3003919bd1a686c3f9ec8238fe25fe4d3cd7de518fb9f132d1cf2abe8e49070d2f5004f3644e95ed33d0424a64736ce886eac5b366a03f390112ebf45ae2de99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 42d39d551d22fa4b60246e35100a981f |
| SHA1 | 10620faeee9790514b55f031726ad4a7723e2b02 |
| SHA256 | 17949275683fba6c47df945b78332b618bfff2fc6a383e8bf0dadff194fad300 |
| SHA512 | 60fb5686eb63cb39d34035357120d080828aee2d964111933f1b484be985f47a5f9d8662c0981a91eb58682a5c9341a575e3ba711ba656bc30b6fab03ac172c2 |
memory/2276-290-0x00007FFD84D23000-0x00007FFD84D25000-memory.dmp
memory/2276-291-0x000001C44A520000-0x000001C44A566000-memory.dmp
memory/2276-296-0x00007FFD84D20000-0x00007FFD857E2000-memory.dmp
memory/2528-297-0x000001F9E6120000-0x000001F9E6142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jk3szjlv.22c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05b3cd21c1ec02f04caba773186ee8d0 |
| SHA1 | 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb |
| SHA256 | 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8 |
| SHA512 | e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
memory/2276-323-0x000001C464D20000-0x000001C464D96000-memory.dmp
memory/2276-324-0x000001C464B50000-0x000001C464BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
| MD5 | 46ae621a4964115f591a10c02f8cd657 |
| SHA1 | fa4a7b11eff3315673bb5bf4c5934d6061b19e74 |
| SHA256 | dd94f4d4e9b378b662593dc3210bc8801ae883c666170a753c4f140da0614a9c |
| SHA512 | 0bae45ae61b2617a5ab54fc0a4c6883c99ec717f335226a63c90e338be8e52e39919deee91ebc5bf0e6a266cf6cc39b8941bdceacc0633f6826de43454719dfe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | e10d449ec2b49d5a3935be7e4e8cb9ef |
| SHA1 | 2349916dbc59a641f5781cff3732f750e47bdba4 |
| SHA256 | a6cde81ca7f6dd50ee2ee4a56223b1d67131cccd57f3829d01a367c34004c464 |
| SHA512 | 84ab2f7126d5f62ff0e7c528203f6ba2167ffa16cefc93f68eb2fa666994897603f8e42ca26e92bd629943f154d98a7c6d47025ce29bd3223829dedc42975ed9 |
memory/2276-328-0x000001C464B10000-0x000001C464B2E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0e27123ec2730bd5d89828fd6a41cc2 |
| SHA1 | d1099e93025598a470d6cc9c0549595e8f8e9a7f |
| SHA256 | fda70f35a9cbde9e93461cd72d0c668f964d8b07e5c43322e47ed602ceb177a9 |
| SHA512 | b73fba4357362fa2057fe5216490da71958e1edb6fd08fe7cd99d214a8a1a5381ff304584c7969cedfb790170ecd65cbe96e006c5d2e41ceff587138ba244d31 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ac871344dc49ae49f13f0f88acb4868 |
| SHA1 | 5a073862375c7e79255bb0eab32c635b57a77f98 |
| SHA256 | 688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37 |
| SHA512 | ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006 |
memory/2276-362-0x000001C464BA0000-0x000001C464BAA000-memory.dmp
memory/2276-363-0x000001C464DC0000-0x000001C464DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 386ac3dd4d75fbabf73b1e26d851f8e0 |
| SHA1 | 4e5bfb4f747c1b3b1af89660859033250824e7ef |
| SHA256 | 19a9f96108dffae20ca67c47e22c070947edfbb3c7af9e5ec3f7890cc8e05663 |
| SHA512 | 8563d3915d9c7a40716fec899a656b5be112082fa4a7dd9b033fe37f1de70df16d2d6d14afd51a4010daa3d68ee66e5cea948c601f0812b1911b33bc5d202ecc |
memory/2276-382-0x00007FFD84D20000-0x00007FFD857E2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 24b29271fd80e79f98db0736e69d8fd3 |
| SHA1 | 41f40f84ac6d85035e46d18675d26ece91b765bf |
| SHA256 | 0327252e9dcf1da0bc1f81a87ca22af0032fc6e384bb1fc86a9d6a398aa3c2a4 |
| SHA512 | 6172fa744e095ca28c1871b47d5730aec47496cc814f087d9ae86b357d60b348bbfd18022daa3a88a87793895b2a6b37ef5213121c8c31b28c11bc33f1c90b26 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 757162b4f63d31b6a705e19ec9d9e053 |
| SHA1 | eac10167db47523cfd367408ac92ea3c611f1563 |
| SHA256 | d1a9b398eab8250d8fe271418f53f19cf9bf61743e7f2593cd1986a2120de6d1 |
| SHA512 | d96c1a68d00f51a1d0777b378baa98e030b162afa1eb9664df84c58d762e1d0d100f1643f6386f83495be65e93e877c717e400025584b528b19379043ea7ce1d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583f85.TMP
| MD5 | c5f60c48bf1855fcfd4d17b4750cbeee |
| SHA1 | cbd6b3b6665a838b0412a05658b8750bb2d3b4be |
| SHA256 | 9fa363967a2123fd104c7633559058845bce078d3d5af934a82b9bd6829e0a11 |
| SHA512 | d45bf52a874051f9a26b8e750834b66b64b8b3823580bc4e4d9764a342a2c2cb90aecc5b188f293b47877028280b54509cde8f1840b59a217b3701749dc3ecb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fa257d49b78ff3a5bfaa925f3a146a2c |
| SHA1 | 7f6715fba063b74ec2f03733f15fde77a7b6f6f8 |
| SHA256 | 043dd7773556b48f2b4c98e65eea8d4dc4566cbbd60eeb6a90d4e5b87ea089c6 |
| SHA512 | b655679e8f360182b127b13137dab73bf9e6b1d65d1a1d42a16432c09713b0eea8c4cb8e51fd696d10ff1abbc14bae07879c7518727376d95896578477dd1844 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f910dc056fca1a904c13fd6f417fa3ba |
| SHA1 | 222ed714011684fdbb57dadab00d312c7e7f3a30 |
| SHA256 | b7d03e2c2113c088a1d7a22e5b58d04589e8fed8a8143be3721c950604eea6eb |
| SHA512 | 6ad3016e5943ca41bfd22f8f17c420ee30bfcfc183d99e12c27691feb6119040ca85b3a80f95bcdba3782e6f9701340fa1213e7a28a005fa0a18e417f7f1d93f |