Analysis Overview
SHA256
01342213b45659a27b48f65b73b7043b84faba91ca8f80963560d824097e5ed1
Threat Level: Known bad
The file ElectricLauncher.7z was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
Umbral family
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 14:05
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 14:03
Reported
2024-07-02 14:08
Platform
win11-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000cb5893ad1000372d5a6970003c0009000400efbecb5893adcb5893ad2e000000819f020000001c0000000000000000000000000000001519e40037002d005a0069007000000014000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000cb583cb1110050524f4752417e310000740009000400efbec5525961cb583cb12e0000003f0000000000010000000000000000004a0000000000a7192c00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \Registry\User\S-1-5-21-1560405787-796225086-678739705-1000_Classes\NotificationData | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications\7zFM.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications\7zFM.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications\7zFM.exe | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications\7zFM.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| GB | 184.28.176.10:443 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| NL | 23.62.61.171:443 | r.bing.com | tcp |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 52.111.243.30:443 | tcp | |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 57b3258a625119976bd6c4b2d31b7c59 |
| SHA1 | 319cd65d7cc2cc49cabc4d00b738fb0f075142fd |
| SHA256 | 9e977d343cf9cc7f29f797392003b21c1c15be3deff7aae1f29151a725e2f536 |
| SHA512 | c0e3ec54c99f43bd5cb9539b43e087996dc6c9b896e5cfeb7aabae9327c776e8d29bd984410d8e96ccc1f3f26c2be25b7219657bd8a803fa42edb790df41efa1 |
C:\Users\Admin\AppData\Local\Temp\7zE003301D7\ElectricLauncher\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe
| MD5 | 3c764a3a72eefe5074751c4955df77ad |
| SHA1 | 670efacebbeab02a31b69cde6d3f949816c45946 |
| SHA256 | c8413e399a6ebd847f90bb3cde101d647aeef296baf4157141ab47fc2ae82b14 |
| SHA512 | c640dec6bb9cb980cdf998d93736759ecb0a0a7b124a5dc0cd08b15ac984d5d131044d64d154a18ccf2bf07c39cd29aecaecef48873c41fcb85e82fd3f59120f |
memory/4924-577-0x000001EA6E3E0000-0x000001EA6E462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzhrysc5.nny.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2224-583-0x0000021014350000-0x0000021014372000-memory.dmp
memory/2224-589-0x000002102C730000-0x000002102C87F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
memory/4408-601-0x00000231B4190000-0x00000231B42DF000-memory.dmp
memory/4924-603-0x000001EA70C80000-0x000001EA70CF6000-memory.dmp
memory/4924-604-0x000001EA70D00000-0x000001EA70D50000-memory.dmp
memory/4924-605-0x000001EA70120000-0x000001EA7013E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73a7f7f101d776f899f94225a14da2e7 |
| SHA1 | 2bfc92d7538695987f11af32252c2c83ea7f1ece |
| SHA256 | 51cd74a30ba6caad1a9b87043919e5bbbe36f331c5a2b42ef678cd9765628948 |
| SHA512 | b6b44a831ec0958ad960596dcdf00c03cb15e3a4ff5a877cb2efb2e06549ffa146401ae2e87b7253dfe43bae90df5a3d551fb0e4ef0d5cdb93e8aa82af799eb8 |
memory/2408-628-0x000002682D820000-0x000002682D96F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f29ff8b1e0f396a194a6782749830b8e |
| SHA1 | 2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69 |
| SHA256 | 5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f |
| SHA512 | 0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19 |
memory/2464-639-0x000001EBCE5B0000-0x000001EBCE6FF000-memory.dmp
memory/4924-642-0x000001EA70170000-0x000001EA7017A000-memory.dmp
memory/4924-643-0x000001EA702C0000-0x000001EA702D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 991e8f3bdc04acca98024f7311752070 |
| SHA1 | 76005ee90a2772414bc7231d6192a942dde9d499 |
| SHA256 | 788799ff1be9e0abccbadc1d574ed7f36e7bc6833d942b5c177ed4e50c6dae44 |
| SHA512 | b7ecfcc910ecf00694e1b65ff4aa34caeb8f05db2aa10ca032885d1262efe74dee874abaa1399297144259f3ce2a7e48301c79477c51c5369c5911742c4fc326 |
memory/1828-659-0x000002144A940000-0x000002144AA8F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ElectrickLauncher.exe.log
| MD5 | b51beb4423c86427f672916554030c47 |
| SHA1 | 9b97736d8434b62ef627a4ee8484e26c719924a8 |
| SHA256 | df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea |
| SHA512 | 262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a5ffb22e000e0186d0f35020b6ab9f36 |
| SHA1 | 243d0d2f3fbd6dd605014a9ec1dc5952d045b08b |
| SHA256 | 7b490bfbe78241abcb09e394c97ccfb51f56dfd863dc93375335dca5d7a07f6f |
| SHA512 | 6fa56b2462eae59cef0c7f6a13dc0511432887429f15531413383e0fb4390357756641b81856584077896504da7645ae23096784ad58a85073f2663e22718c6a |
memory/2196-677-0x000002C0567C0000-0x000002C05690F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fcbfea2bed3d0d2533fe957f0f83e35c |
| SHA1 | 70ca46e89e31d8918c482848cd566090aaffd910 |
| SHA256 | e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38 |
| SHA512 | d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6 |
memory/1152-688-0x00000172ADF40000-0x00000172AE08F000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e97e6c89e69e5dfe3720965bf7025332 |
| SHA1 | e66d8655b2f6a97f22f926bdf26f619cae29d43f |
| SHA256 | 157f1793bb3f5800e88ab46d6055261e7b89526f0bdc0e4f0424e738f3859394 |
| SHA512 | 171d593bd1a24f1eac560fc7185650789927f2ad4a0469a2403c77103fc22ebc11e86545c309ff45a42e90464f6fc96bf7cf8ffdd05f7b55a627e8a07366ea9c |
memory/1072-713-0x000001DDDDBE0000-0x000001DDDDD2F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de1cbc191bee1d162d00561785ff3e3f |
| SHA1 | e65c6208aaeb730c3242fec9afbfe797fb464f66 |
| SHA256 | 7eda0e7287adda6d5511bb314988c270a1ec05a6bd7fcbfab698ed7b4b195434 |
| SHA512 | af507d8a805f43842e87414b43c1a0f8973f3d663d2efeb0556b9d212741d159e2f0d0e0528588d9dba1278cca1efd37ab4d28c118c4424345191d0b016d2013 |
memory/3264-724-0x000002766AB70000-0x000002766ACBF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9727080e411a1a3acddc368446e8792e |
| SHA1 | 8a479e5c1ec2aeba4021d9ebe8604d214ee7e22b |
| SHA256 | 828c90db8468efdbced7ebbc77428e710f3a4b8d74cc46b0be3ded118b348ba3 |
| SHA512 | bbe71b367537dbd32e50049b9d85156bc861f94f3dee28f12e7ec832f35db8aa8e76d66d5b5a326d57d265a23eae8327016fb6579062a260ea35e64123e6e1ec |
memory/3876-740-0x000001DB726D0000-0x000001DB7281F000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 9a7af7f1f08f7de9da3ba647286ee5a6 |
| SHA1 | d7a23961ba5f8c4242a03f20686ff516c2ae432c |
| SHA256 | dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b |
| SHA512 | 64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 35745802ec2865acb4c60e651e5a8620 |
| SHA1 | f10c746a71c2741790aa3f5160ea7d9be1a1920a |
| SHA256 | ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63 |
| SHA512 | 0031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 091c7251c404f1fbed899029d38174ea |
| SHA1 | 9e43e32a9fb0fc4673b4d9928947249e5ba4c2dc |
| SHA256 | a5675a6d4777674ca47f75646f9789747ea865e0fe701a085c1d89b5d67de100 |
| SHA512 | 0325784e8fd5a5a6bf86e2dee1ff18ce1b97c562f76bb16a8c5d33e59a72e1d507e409740932fa6bc10fb2cc685403466f45fd8435d7c8f9d3c4954fb6391aa6 |
C:\Users\Admin\AppData\Local\Temp\gdRduAKrWgTU5H3
| MD5 | 2dee754eebee90ff8997be8404278b0c |
| SHA1 | 6f6349b1cbeb6ab2a1006e6dbb4e271c065ea76f |
| SHA256 | e726b20642cb1bc6c26279444478bc7f087559367f7ec80732adf3942c63e650 |
| SHA512 | 5d673a25edf4d03580857ca1abc7d6e8647e3eae401beb4b1e41e4bb919cf9e4c8d60c395708d82669f6d10348dd9158007cd15454f934b5250d364fff67ec7e |
C:\Users\Admin\AppData\Local\Temp\V2vqgG2ONDWCO5Y
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |
C:\Users\Admin\AppData\Local\Temp\V2vqgG2ONDWCO5Y
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
C:\Users\Admin\AppData\Local\Temp\V2vqgG2ONDWCO5Y
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 87ebe221d639e66210ef10c93e5f83c3 |
| SHA1 | 483a666b82f7b59e2d569f6f331fa3989fe0f526 |
| SHA256 | 9a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380 |
| SHA512 | 2a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57083a8e45ebe4fd84c7c0f137ec3e21 |
| SHA1 | 857b5ea57f7bcf03cadee122106c6e58792a9b84 |
| SHA256 | f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40 |
| SHA512 | 4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87 |
C:\Users\Admin\AppData\Local\Temp\iaVroh8PbbUoDtr\Browsers\Cookies\Chrome Cookies.txt
| MD5 | f655b58434640d779f736d9b060917db |
| SHA1 | e19e84cbe7a0defd1fc4c0f464854a67f5faf3bf |
| SHA256 | 35dda0e7571f97ccae10eea1eaa80f920be029350193ad1bd7f7618554616d03 |
| SHA512 | 1c26516c609bba7defb194f1abf1c32574115439bef164c3cf021fda594b90dbfe41b7195b3ef2ecd6f3a175dbe18f76c39e5db52c53c22ea902cc198a6d576f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d53bff3268b4070a89684df32a209d99 |
| SHA1 | d6a10a280bf5a360cc4cd8f7a76e17ade869fe9a |
| SHA256 | 934968e97319b9150f34a5d1fa999b5683c1581740177126d264e184d8845132 |
| SHA512 | f5e2048c3628198cd9dfda8fb04f2fa9ca6f4a84ebbff0cc1ff716c76c0f625c2c72f39409ebdcfae028510cd58f85b520d03111a456c80a197d7446522eaf0b |