Analysis Overview
SHA256
c88ffa55d1136e9393fa642c508ab09e91da603eb036c0ca72fb77d806844c14
Threat Level: Known bad
The file 1111.txt was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Umbral
Detect Umbral payload
Xworm
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Downloads MZ/PE file
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Drops file in System32 directory
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Detects videocard installed
Enumerates system info in registry
Views/modifies file attributes
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 04:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 04:26
Reported
2024-07-11 04:31
Platform
win7-20240708-en
Max time kernel
189s
Max time network
291s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RTC_launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RTC-launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RTC_launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RTC-launcher.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\1111.txt
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68e9758,0x7fef68e9768,0x7fef68e9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1680 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1140 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3352 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2756 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4136 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3840 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
C:\Users\Admin\Downloads\RTC_launcher.exe
"C:\Users\Admin\Downloads\RTC_launcher.exe"
C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
"C:\Users\Admin\AppData\Roaming\RTC-launcher.exe"
C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
"C:\Users\Admin\AppData\Roaming\svchost.sfx.exe"
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
"C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FEBDBB62-03B2-4391-B5F2-F93E163AE82C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | rtc-launcher-9cd2ftx.gamma.site | udp |
| US | 172.67.132.20:443 | rtc-launcher-9cd2ftx.gamma.site | tcp |
| US | 172.67.132.20:443 | rtc-launcher-9cd2ftx.gamma.site | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 92.123.143.169:80 | apps.identrust.com | tcp |
| US | 172.67.132.20:443 | rtc-launcher-9cd2ftx.gamma.site | udp |
| US | 8.8.8.8:53 | imgproxy.gamma.app | udp |
| US | 104.18.10.200:443 | imgproxy.gamma.app | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | ucf0484d1bb81e01f2c549862d52.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucf0484d1bb81e01f2c549862d52.dl.dropboxusercontent.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | redscientist.com | udp |
| US | 74.208.236.5:80 | redscientist.com | tcp |
| US | 74.208.236.5:80 | redscientist.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | connection-arizona.gl.at.ply.gg | udp |
| US | 147.185.221.20:65211 | connection-arizona.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| GB | 216.58.212.227:443 | beacons.gvt2.com | tcp |
| GB | 216.58.212.227:443 | beacons.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | udp |
Files
\??\pipe\crashpad_1864_UMCHXAZAFARLYIOM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\Cab3287.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3345.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e23958c72fdfd598755a7a381e6a620 |
| SHA1 | d67d017c260c4f3222b314cc96fc4bc1038b1980 |
| SHA256 | 62dcabee69eb16bf56d4b6d5c9586c8e74a41606bad4e9ec0dc63bdf90a90f76 |
| SHA512 | c079674fa439c0abbf4555e345c8f15f767cae0c9685906901829115e72c3a35d0ef2bcd688ff517816138e4b5de24487784b852927ac9bef9d6a5fa2e8fff35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d6a1b78b0c63a0ba1d5904a8413fd6b |
| SHA1 | 51af8cbbca6a338e0ced934286d03511f08c3114 |
| SHA256 | d2cf7301eb4003b3a93c92b2a10c06a22503680a7a8dd548e61c39336400894f |
| SHA512 | a58ddf19bcba0d78b7d0ff6aed419d2f4cb77fd3de2f7021602f3bf9cb15115a4a999fd3a5e07b477fa0595ee59502a9b0d3331baec8918a78ed622f7ee2391c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d518def2d5f88303e298a2911b3b0095 |
| SHA1 | 6600fb59583c780e6340ef1eefee8abf80b17db8 |
| SHA256 | 013de140f581d69d8e6649e90757acd6718b3471207dd1ac3f4440ccc63016b3 |
| SHA512 | bea1abf65cbee81482f048adf671b9018ff77cb68202b3824cdc7c273ef3710822379bce462d649735b96a89da44b6cb2a39812dff9831c0732c81d2734dbaf6 |
\Users\Admin\Downloads\RTC_launcher.exe
| MD5 | e0e2f56b736c375d82c1668267f3fed4 |
| SHA1 | dd92ef585431f4d4295f05f04a044f84ab799b87 |
| SHA256 | 2eef3ef0c91c8783544a4ea58131804dce6024fe5569ebdd1a497e0750693d54 |
| SHA512 | 96ae6a0c5aa214bedc191c8eeb47c7bd17538387456d8af86680aaadf93cb3d2eb07c1714b3a597109789424584b52146ada4b67f9c04aec067c854caec30b68 |
\Users\Admin\AppData\Roaming\RTC-launcher.exe
| MD5 | bfe20aac9317925bcd8621db0946384c |
| SHA1 | c739dfce077121bf2f7614210173966b9731cabd |
| SHA256 | 2d6d57ffff1c26183290ee15d1663283b98fba8c8981b00409bca5ccce49ee54 |
| SHA512 | 3e82fe9df6e037911b6d73bbc38241fd25f96fa1047eafefa543a72e9ea7fa35e232a0e165c39ac5cc4fa864b439743d755545964347b6f9b3b39003dd1d4cb4 |
\Users\Admin\AppData\Roaming\svchost.sfx.exe
| MD5 | 0326c9fc30cea37fc3f9dfdc9c017260 |
| SHA1 | ef2548189632d87afef60c6c5c322daf95a6fe6a |
| SHA256 | d88cd37c5dee7ef1a3bd7836150cfb63bee3ba792a71c08685fda46f31f1b9d5 |
| SHA512 | e7d256931d32502691c8ef9e54ac448b1b38d9574ae78dfcca6764fd3a653b175e01143cfb46f70af662bd8ee1c7521942a4d9dcfd8285e225bf732c4fc8ef7a |
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
| MD5 | cb1929328dea316fcb34f3486697d16e |
| SHA1 | 8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b |
| SHA256 | 7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9 |
| SHA512 | 90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | b4a592662f351fa139e2b2dbaacb6536 |
| SHA1 | effc55d139ca4b4fdd4bccce9c754661b626e624 |
| SHA256 | fae2b33e66e3f661f9ec876e263014cb89e97a66fff8eab2d311fc3ca8b1ec4c |
| SHA512 | b31091654adc567b2fddf6e5a1e8f4f2f902d7a9471462070e0b6f5dea65a7bbc1424ddd7e1b618122bcb3310cb6b9e75a09b35e31f6fa50b4d6c563d7952c38 |
memory/1528-357-0x0000000000020000-0x00000000000E4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 644cad264f0cfe862b3ff1bf524be792 |
| SHA1 | b463477d68e7892974c9638b04b3b846f4e0cf02 |
| SHA256 | ca5e19c85ed2ec91e28f762a51e051f9a487bdb1f92f0d3827bf647b8468f8ad |
| SHA512 | 7fb5025dcf66593019049a6de470b92272536e7ae25c3f784188f0bbbf4007e04e21136ff789cf28f52d0148e6bd348c6ea762ab7badd93d15c474864dad856b |
memory/1304-374-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/1304-375-0x0000000002390000-0x0000000002398000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 55ee2d296693bf6fcf30198bfa41e595 |
| SHA1 | 88f9d8e36bdac6f12359c8adc14197177306d51c |
| SHA256 | 6be7930fe05d7bc514f1342aa59b52503feb9d35a3c4e08325463c25de2935cd |
| SHA512 | 64c97950bbe5b1ef791f6ba39d6685909fb2a299f5997e916d9bee4aa619f3f7fe5b98ee2ada95eaf8594286d8cedc7beed4a4e19fc5aa4216b9b061eb603f1e |
memory/1484-381-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/1484-382-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/1252-401-0x00000000013C0000-0x00000000013F0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1d3861bbe27d98f0a2ee393333bc6bb9 |
| SHA1 | 49bba137047461e89c6fe146753349701a6318dc |
| SHA256 | 2564f35ac7ec4e54528530cf4b2d4adec8a2a0964baa5bd0d3f31fc9106c0f16 |
| SHA512 | 4ff94140497df9180968491b9e184a0350936f1e24dd0007285322e638fc4a5b3e61d9869f06113c064589464126c8a8798ff3aa1daeaffd31ad28e0ba1ae2e3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 835d7444422d567d39ab6080c5ce3493 |
| SHA1 | 19ff2511a8cb741c5759fbdd9e49e86f860d298b |
| SHA256 | 2f0f1869e947171614aecb92f02ccdcd235da41f8ecf8cc121282fc68e91b1d9 |
| SHA512 | cb00b99c554afc3fdee7f11e80be7490b57ce603baa06c0dd7470cb061f34655ae07a1493b3d3610f0271aa3d5770ffd9ca7d0e24a65a1b6d70a6c0c69809ed5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c31bfe2701c9a7191c8e449477ce334b |
| SHA1 | dfcc0750d6700243758e49f292916dc5fe6eb497 |
| SHA256 | 941485e5883b8c4d3490ea96fcfb4458f12a139ec7057cb1c56814f35a54c5b8 |
| SHA512 | 463734e95d95b003d50d1f319636be1220a18e88015145c3fee77f5209ffee93df1afcb384ce3c560c4de988eca1f8667a4266a0dfcd0c18f8662c2c4fa81382 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 7cfb8ab338fdea14920ca73a4353c8fa |
| SHA1 | cdb0eae3f5fde49afdcfb92634cf2b755d83182c |
| SHA256 | f94a101e3f5a18a51f9bd2eb59bb065905c685eb2d9602088787f50953ca9d50 |
| SHA512 | 218e9959836c4a083c7efe84ed5f17792f567c26568eb4c062155f44e21debe6c1d48f9d2f0ca286c129a57594f37a0ad6141398821146b03eb140c74e799874 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 04:26
Reported
2024-07-11 04:31
Platform
win10v2004-20240709-en
Max time kernel
300s
Max time network
297s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\RTC_launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RTC-launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.sfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RTC_launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RTC-launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651456341256942" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\1111.txt
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d8d4cc40,0x7ff9d8d4cc4c,0x7ff9d8d4cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2232 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3444 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4592 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4416,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4772 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4500,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3532 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5260,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5288 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5308 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5588 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5612,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5752 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6016,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6028 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6188,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6196 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5244 /prefetch:8
C:\Users\Admin\Downloads\RTC_launcher.exe
"C:\Users\Admin\Downloads\RTC_launcher.exe"
C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
"C:\Users\Admin\AppData\Roaming\RTC-launcher.exe"
C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
"C:\Users\Admin\AppData\Roaming\svchost.sfx.exe"
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
"C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe
"C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5036,i,12189389983289215724,6173294440771419803,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4456 /prefetch:8
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rtc-launcher-9cd2ftx.gamma.site | udp |
| US | 104.21.4.125:443 | rtc-launcher-9cd2ftx.gamma.site | tcp |
| US | 104.21.4.125:443 | rtc-launcher-9cd2ftx.gamma.site | tcp |
| US | 104.21.4.125:443 | rtc-launcher-9cd2ftx.gamma.site | udp |
| US | 8.8.8.8:53 | imgproxy.gamma.app | udp |
| US | 104.18.11.200:443 | imgproxy.gamma.app | tcp |
| US | 8.8.8.8:53 | 125.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.gamma.app | udp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | uc393047d338fe987cc598f3631f.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | uc393047d338fe987cc598f3631f.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | redscientist.com | udp |
| US | 74.208.236.5:80 | redscientist.com | tcp |
| US | 74.208.236.5:80 | redscientist.com | tcp |
| US | 8.8.8.8:53 | 5.236.208.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connection-arizona.gl.at.ply.gg | udp |
| US | 147.185.221.20:65211 | connection-arizona.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.187.195:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4248_GBJYDMMMGPUBOGJH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\Downloads\Unconfirmed 265908.crdownload
| MD5 | e0e2f56b736c375d82c1668267f3fed4 |
| SHA1 | dd92ef585431f4d4295f05f04a044f84ab799b87 |
| SHA256 | 2eef3ef0c91c8783544a4ea58131804dce6024fe5569ebdd1a497e0750693d54 |
| SHA512 | 96ae6a0c5aa214bedc191c8eeb47c7bd17538387456d8af86680aaadf93cb3d2eb07c1714b3a597109789424584b52146ada4b67f9c04aec067c854caec30b68 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4a10d402e800726990be461757a06909 |
| SHA1 | 14edc508d3c535e1bc1f9d6aa01033af6ec60d67 |
| SHA256 | f994164f4d0ce3628bc2ad1c79ec407cae99deaa8a6ed13aa5adc0974942a098 |
| SHA512 | e22adf1e8e28dc0aa510321535261a828f573600b2e99b6dc176e2cd0a0c9af3c2be0d8c545f2987853cab9232471147dd74982253a3f37fc5017371aa8d9178 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a9c42a3ed496a9732ee2a849f1bb4c31 |
| SHA1 | cc1f1c279349509de03fa166b1f67ef7c6efa3ac |
| SHA256 | 58f97062a0a0b5ab1c468424b54995ebe6fc83a39d9f531f01a87fb95371fb24 |
| SHA512 | 01a51023598aec2513eea2f7b15419d561aeaa6b2e311c5af8d959ab749f7997c23fc7fe0da7a50b58b874dbd51a7b0eab83765cebb65580c554414008aec68c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fa0ec8b35054b97d0055d2e64b29ca4f |
| SHA1 | ca9e13621c05af531105c7bbb48f5082f478da1b |
| SHA256 | 4b17af985c7b1a7aaeac1c2dad25cc8e94d0e942caf029a056533fce60f65adb |
| SHA512 | 768003b3cc1a4bd937c233793c527c6401643206b896730a5407e594444af23c2ab645f21c5be63c4453137bf38c822de29d7514212e28f33af2828e7089ff48 |
C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
| MD5 | bfe20aac9317925bcd8621db0946384c |
| SHA1 | c739dfce077121bf2f7614210173966b9731cabd |
| SHA256 | 2d6d57ffff1c26183290ee15d1663283b98fba8c8981b00409bca5ccce49ee54 |
| SHA512 | 3e82fe9df6e037911b6d73bbc38241fd25f96fa1047eafefa543a72e9ea7fa35e232a0e165c39ac5cc4fa864b439743d755545964347b6f9b3b39003dd1d4cb4 |
C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
| MD5 | 0326c9fc30cea37fc3f9dfdc9c017260 |
| SHA1 | ef2548189632d87afef60c6c5c322daf95a6fe6a |
| SHA256 | d88cd37c5dee7ef1a3bd7836150cfb63bee3ba792a71c08685fda46f31f1b9d5 |
| SHA512 | e7d256931d32502691c8ef9e54ac448b1b38d9574ae78dfcca6764fd3a653b175e01143cfb46f70af662bd8ee1c7521942a4d9dcfd8285e225bf732c4fc8ef7a |
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
| MD5 | cb1929328dea316fcb34f3486697d16e |
| SHA1 | 8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b |
| SHA256 | 7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9 |
| SHA512 | 90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28 |
memory/1988-190-0x000001B603700000-0x000001B6037C4000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | b4a592662f351fa139e2b2dbaacb6536 |
| SHA1 | effc55d139ca4b4fdd4bccce9c754661b626e624 |
| SHA256 | fae2b33e66e3f661f9ec876e263014cb89e97a66fff8eab2d311fc3ca8b1ec4c |
| SHA512 | b31091654adc567b2fddf6e5a1e8f4f2f902d7a9471462070e0b6f5dea65a7bbc1424ddd7e1b618122bcb3310cb6b9e75a09b35e31f6fa50b4d6c563d7952c38 |
memory/5012-203-0x0000000000B50000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 4e747fb60c3b87ceca53757b7aa66380 |
| SHA1 | c53d2597d3f0a99a7df786653689b232ceb0137f |
| SHA256 | 41f20ef3b43ade026435bf8a2f11e47f5e9e6a82ec508e6e7bdd90781eedee45 |
| SHA512 | 5b42b2f7f8881a5ad8f324b90ad0cf8fe393724c264b9463e9f7226662c0497f56d0fed737f4ec503acd2ecf9814c14225cf91f1111a7f4190003fc33e3b31a1 |
memory/652-209-0x0000020B6A280000-0x0000020B6A2A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2euv1d3.swa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f48ed3b9a04049057645e81b10ed00d5 |
| SHA1 | 5740c73ccf6011da59983b8698b2da9d23a86216 |
| SHA256 | 673f5677db88aa860196994a1a19f59e869997d9618d6db14432d4e633336694 |
| SHA512 | 9d04bcc046a86a996e9f88962380254527c0d222efa71ce9134111f5d975111245f36bba445142ed1506a4ce7cdd7e265e0a6fe374520e13b5f9d8e4f98d993b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 465286a9b31a4fa4831f9d3a2925c88e |
| SHA1 | 4ba832802f83872ff47a59ace1057bceb38a1955 |
| SHA256 | 24522f12ccd8284ed705803f2c1a3b12ba7d675d300fed443ca9eb55fead55fb |
| SHA512 | 84e4d5f00257670fea86e4397f3b814174609daf24488a82c4ce726f81b5891561a8c56d4053c76a8bc27318685d482dae5e15ba28c1cd14049c15bd552f95f5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e8ba67ecc4a71aec0a3318294c0fab4f |
| SHA1 | f74ee3f16516a601281e12e387ac31565b81d76f |
| SHA256 | 8884c178bafc7414c23b870649f9ffbc74a076834b7cd7e4d2f17539d516637a |
| SHA512 | 7ac3ca79db0e3a71265c04382e1bf5f2762f6aa89732533c246f7f3bac1b5607c4b2ed19ab3ae789c054a02627b09bf2e9e431c671e1436e123c8c59795508e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 10cef33b2526cc04ff6a448f4242b7ed |
| SHA1 | 817e1403373739ae5cb6fa84a2ad7e76191eb44e |
| SHA256 | b825bd483e300f7a011edcac49f480197cb4bbff004e0b7cd992b2bf28a09af7 |
| SHA512 | 5736c335677ff2980c85cfdff8cc250a9efcafe9a1555fde5148bae6b77e1fc7c6a9a08aece25415b0bbdba4db13899964f0b404d34a7a6f5f1c7acf0f16515e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 376b2264158549d2160e7b1a92d4f5b4 |
| SHA1 | 961d068c89423d8bebd1631ba4c77e7b4ee87b4d |
| SHA256 | afb8bb5c7cdf7005c3b5150a949e8299a603660bd31e789245a8c6b81fbdef6c |
| SHA512 | 1c17835da7fa74f29bd2c2783029c22ee57474173d143cff03355c7676af00156fe4573aaf0a9d102a53e02ca07e9fc75db6591779289292a0a1134fdb63063d |
C:\Users\Admin\AppData\Local\Temp\hmhdbm.exe
| MD5 | 42cdc6de3e126e303e5d062d85c6e1fd |
| SHA1 | f90df98687717fe4fae35177079405e94b3a4bdd |
| SHA256 | fff9ad86fe27a98f157ab61c59fefc5ffde25bccfae7896e98a6acdc58f228a2 |
| SHA512 | 9171ffdd858a5b4a34c90600a2270922a96ebb4f4991ec0e833397d892ac896a6af5f83c3eb3f16c6121caa537d61b9fa1f496a9a3b5d777c33fec9308f7340e |
memory/5072-301-0x000001F9D2120000-0x000001F9D2160000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1916e311dae29edb38f2946bd1cbeaa |
| SHA1 | 5a5f04e79c9db4022607f567585aa2447dc0fa3f |
| SHA256 | fef31b0f182c51f528de4d52085cd852fd9cc2738439eedd55ac60552ef67465 |
| SHA512 | a93f7e5d646d4a14c130dd91beafa9697eb0a5f85859376c4c2a019e0d4891d9b013ac761f9e5f7a1d6dff0d9e3c0df75d6f74d1d23f89d6df27f48c7b56f5b9 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
memory/5072-326-0x000001F9D4080000-0x000001F9D40F6000-memory.dmp
memory/5072-327-0x000001F9EC930000-0x000001F9EC980000-memory.dmp
memory/5072-329-0x000001F9D3EC0000-0x000001F9D3EDE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 14d86d2fdc5ff86d488911b7fbad7ef9 |
| SHA1 | d9db24c87859586480abd0e27dad70c62cc1f318 |
| SHA256 | 445d2555f71c3f429df1931a00220573bc7c0980f6f8d2226b5463cccec4a654 |
| SHA512 | 4faf253a56fe01e2b0a9b34f246f0d701db31c9594e4f5c84fce42d1374f5cdb2f1e9e37ff0111eab87208507f13e143e47ddf807b7d029db10b60f20b4144a1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07d142044fb78e359c794180a9c6fdff |
| SHA1 | 8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e |
| SHA256 | 2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea |
| SHA512 | 356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/5072-363-0x000001F9D3F00000-0x000001F9D3F0A000-memory.dmp
memory/5072-364-0x000001F9EC900000-0x000001F9EC912000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 277f918918ca1de032c2948911ecb93c |
| SHA1 | 0307e48f22426ecfccad2f8eb0e69937ab957620 |
| SHA256 | f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f |
| SHA512 | 043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c27718e87e414d97a3b813dc195914bc |
| SHA1 | 131d04af65d30cc4ea13c54d8324311ea1318c96 |
| SHA256 | 77d73bb2746b9269e1f30db2ed68d8c28f4fd6a75a2d3082971c21adfb900969 |
| SHA512 | 2722ea565df22f8ef7ccd47e25a9bdd7f0757fd052eec2878d07e65e677024699aeb848d3bbf329e62a33f9760e3bc1e41551f4a663b73f0a5e81985f55d2a12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\af9c7df8-6f06-4d59-9dd0-749484fe5394.tmp
| MD5 | 65e8f7ee2524ae5285f949ecf309a1d5 |
| SHA1 | 885ff95a79296302d35868d26649b6bd03809b9f |
| SHA256 | 83cdf98d58f20257025d05e44dbac7113e7150409f761e24dc33f41892e8fa57 |
| SHA512 | 531e0499690f4d6b21d0261f94258e5f6436ad63943183261e0f3362bddeeaf7ac55359f3433b37894b350c95089f867c641c1708e36517f34267fa26e11defe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 414202ca544043756e86ac6d7851f72a |
| SHA1 | 1520df6c638034437ff0f7645d73db1e7a2ea49f |
| SHA256 | 9dacedd307144a78001a8b8608562717e89cc803d72068e18513c98e3fd02092 |
| SHA512 | 8582ae6dd845145ffe8ced8e171812073ceb62d515622fe3f3cb25bfc0de68f6fbacd6b2beffcc8f003357817431f1ffb04d2841a00a6f8519432ba07dd5c79f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4ca550d48e02292da98621bd1fee154b |
| SHA1 | b55b40bb6459bd29752dde929269d8e91d8c0431 |
| SHA256 | c8293f574fa9fe9ef413f20404d035c1b9fdadc910172a295f3d37659321268c |
| SHA512 | f8bb7361924cf8db5b3309f8a1be5fb236690e477891452cc8c45bbd36d081c25aa102d086a49c7b13953f94c1cd994c51c98f33efc0e4ad53ee174d7b3e8baf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 05c6da891519b31c807a2860a6304bf4 |
| SHA1 | 3c0d168f84d405c80df7fae7bde8a75585c433ff |
| SHA256 | bfb28741d8b78f416c0cbc9cbd75f55dc4085688af61262e8e0f0b3b6436a36e |
| SHA512 | 9fa5098d778dabe1a57db06220f9b84acb83e26f95d6c78ddf126b266d67445ee542599984d78885229d84bf5234e56ade568a4f3d3403c2dda0d595505eb686 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a43253933d833458a1120663b517e7d7 |
| SHA1 | 07ef0d2b86dd1fc7ea5d4a43c1695bbc287b2f93 |
| SHA256 | a7c8f7f818ff4d27fcbcce976d8ff9742367687024c4485f2462875b33684566 |
| SHA512 | 3b5d7fdf669316ec54f6fbdb99b453f5e38ed4d06ab78001fefce63ea04b5c8f5bfe308019263a5fddf40e225ce30aa4761e0b9e7d14f1f9b5ab5ceee82375fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 92464dc30d5b57a05b8198d508b61c8f |
| SHA1 | 126412047d9f0c6f9aac3ae5eb6665d29798872f |
| SHA256 | 06b8555cea6f3ac0ab9af1ded280112648a357d629b8853d333158a9626b9dd1 |
| SHA512 | 3995d9a5824dac003beb9c0c47a15544b892204f3a7b6b4d301d4f4fb922405e42aa2df9c8bb6f8ec3206df40a3b78b66bafcf0717193f3932219e9717e9b142 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 23abfb4a938e41fc7f3e97e358cf895d |
| SHA1 | 2314d69d658a2b63373c8031e4ef6ad9e7fa6832 |
| SHA256 | f60943998df07cec1463d6c9b57bd159e30569b902f0d2c94969866f41c6a081 |
| SHA512 | bcd11810121dd8596bf59ccc6832314d3b64e0db3db5b6a3a24130af812c6933099fbb466dd10b2708ad9708692e03fba563d07728296eda5a9d19f83888db04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 39786d8f7a1c2546f2a7c23d0a8932ae |
| SHA1 | 65a0446438dd6759ebf7e40727cc5bd71d223877 |
| SHA256 | 2a81ef1de71d59542a4673af65d51f03a94f068d58f0ceee885eb7f6c3aad56c |
| SHA512 | 5d2e007470ffcb73e40ccb2049d899aa4f6eb271bbc13592bbc33c578f73b9b8640b503c488048426ce8b449a2dd1f259b4cb89c8046e2198a9b1a8483ea6b44 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 173bc96831d89e76705def0fbd052944 |
| SHA1 | 825f67bb01d53db26778d40b6595beb679e8038b |
| SHA256 | 037649c3b43c011cabfa66f743754a619e10e9ba7467f0afa54f80da4c32df32 |
| SHA512 | 663c5af4f93d51f7e6da3c1ece183dd667957bd4b660846bd99b9f38badc4f36c273c86e4f92ac2e120cb67834a4a657bd361aa1784fdc98e2768298eb6f1752 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 771b8def1622764029877b050b018ffe |
| SHA1 | 3c576d0cbc82e0152c2be29cde072156a33357c9 |
| SHA256 | addf1b2ff0113284caafb46b4895a2d61e914a082571b71da01ee90853b0e805 |
| SHA512 | 852ca61add71582fc4d9487789c37b9d9643d6b8c2e27c91dc5bff05364ebb547b523e92a1096dea12c508ede05329b87adcf3d8a453421a05f0ae6d17a910b9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a9279fc735aab9dbd0fad36d1412a0cb |
| SHA1 | 0a427374c66801d87a9a1e801d237e41fee3c849 |
| SHA256 | f67ab2470c6ec3bb658a15f88b50211b4f971fb1055229085a8a8cc6b1ba4302 |
| SHA512 | af0114f5ea988459cd9a3d1068d941627cd7046c461db61e4d1b290955c3e8ce68c72fb4cad8b95d20aa1957fc2278307ab8a644b383f72e2863a4bcfc639722 |