Analysis Overview
Threat Level: Known bad
The file https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Power Settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-12 04:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-12 04:15
Reported
2024-09-12 04:19
Platform
win10v2004-20240802-en
Max time kernel
170s
Max time network
176s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4172 created 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | C:\Windows\system32\sihost.exe |
| PID 1416 created 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | C:\Windows\system32\sihost.exe |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\PcHealthTool\HealthTool.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
| N/A | N/A | C:\ProgramData\PcHealthTool\HealthTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
| N/A | N/A | C:\ProgramData\PcHealthTool\HealthTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\www.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\PcHealthTool\HealthTool.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 516 set thread context of 2604 | N/A | C:\ProgramData\PcHealthTool\HealthTool.exe | C:\Windows\system32\conhost.exe |
| PID 516 set thread context of 4400 | N/A | C:\ProgramData\PcHealthTool\HealthTool.exe | C:\Windows\explorer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705881803465902" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{36ABB549-0FAC-488D-ACCD-38BBEC37ED9B} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ww.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85f4bcc40,0x7ff85f4bcc4c,0x7ff85f4bcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2480 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2596 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4344,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4668 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4868,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4668,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x34c
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5536,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5432 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe"
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /tn WmiPrvSES /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe" /sc minute /mo 1 /f
C:\Users\Admin\AppData\Local\Temp\www.exe
C:\Users\Admin\AppData\Local\Temp\www.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PcHealthTool"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PcHealthTool"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\PcHealthTool\HealthTool.exe
C:\ProgramData\PcHealthTool\HealthTool.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4796,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8
C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Users\Admin\AppData\Local\Temp\www.exe
C:\Users\Admin\AppData\Local\Temp\www.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PcHealthTool"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"
C:\ProgramData\PcHealthTool\HealthTool.exe
C:\ProgramData\PcHealthTool\HealthTool.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\w.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Users\Admin\AppData\Local\Temp\ww.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 142.250.179.238:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.238:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.179.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 246.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | rr3---sn-hgn7rn7k.googlevideo.com | udp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | yt3.googleusercontent.com | udp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 216.58.201.97:443 | yt3.googleusercontent.com | tcp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| FR | 172.217.130.200:443 | rr3---sn-hgn7rn7k.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.130.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.179.238:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 142.250.200.42:443 | jnn-pa.googleapis.com | udp |
| GB | 142.250.179.230:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn1.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 172.217.169.78:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rgcatalyst.biz | udp |
| US | 104.21.68.214:443 | rgcatalyst.biz | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | uca960a0834dd68d329e35e41b3c.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | uca960a0834dd68d329e35e41b3c.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 214.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.180.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | e2c37.gcp.gvt2.com | udp |
| ID | 35.219.111.231:443 | e2c37.gcp.gvt2.com | tcp |
| ID | 35.219.111.231:443 | e2c37.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.111.219.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| GB | 172.217.169.35:443 | beacons.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c13.gcp.gvt2.com | udp |
| FI | 35.228.141.16:443 | e2c13.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.141.228.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons4.gvt2.com | udp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons2.gvt2.com | udp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | udp |
| IN | 142.250.183.99:443 | beacons2.gvt2.com | tcp |
| IN | 142.250.183.99:443 | beacons2.gvt2.com | tcp |
| US | 8.8.8.8:53 | 116.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.183.250.142.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4428_AJHPLAUJAVNRKTTB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 9ae9547ecd5b845f87dba1bd6b486019 |
| SHA1 | 1670638dcb650afde4247deb11791ca4063c3c00 |
| SHA256 | e64c90e4b18dee1f78fac8d4a20dc156298e555c50f83c6a0ddb90f9bb2f6482 |
| SHA512 | ed00027487d78867df9712771d9a490420c8b3196c7dff609a4a9a9460bb9df9d95474be7dd0eb2386cd9a5a2d57f5d58fa4cc466abb69234ea8e7601b2a2582 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 6be79b9e0c69e249a2b09d321f85abc9 |
| SHA1 | 6f9d17c715de86a79a3c1062357d6cd32f1829de |
| SHA256 | 23ef15932355599cc85e12322eb5472ecf55048d478350027a8266242dfd649b |
| SHA512 | 032b7a91347c34216445c515e1b58a8498884af646844b1649f9ad4be52d52a5234994a6ea13d2840e5e27dbf73465d61deb993370a1a8520b8ec50291239290 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5798a6.TMP
| MD5 | a30bc8b0418a2f0e7fcaa05d8719f5f0 |
| SHA1 | f31c5ae9d5bf04ee62fa256cb90e3fa12b01376d |
| SHA256 | 2be875f77de3e109c334c01fb3bac1cb08906e5117dff082ffbb35bf3932ef7b |
| SHA512 | 18b53c5200eee1519d923c99b0514ff1d5cbca492c20b594641514bf1e934c502a525db5aafd92ed0c63cf392d5c7cb18b86607b79364e65b86608ff1e7fce1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | a2f5bfbf97286861315cbf2a53b1e05f |
| SHA1 | 88b84b4c36274e481d9cfc1cad4d1e9d2828cac3 |
| SHA256 | 5045db128724dcdb80d26821262ebcf6c8f4561bf79e03f7c3e2a9f0aa9cd4c1 |
| SHA512 | ad40516230f41b483f0baa653c26cb5537a89f5093753a3ec20c8ca3ffbffaec6977b3c008a753f550bef6b88f7c95bc201720bf2e4bcd1403b7c7a0130181d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1470640777\Icons Monochrome\16.png
| MD5 | 1b3a4d1adc56ac66cd8b46c98f33e41b |
| SHA1 | de87dc114f12e1865922f89ebc127966b0b9a1b7 |
| SHA256 | 0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd |
| SHA512 | ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\0\512.png
| MD5 | 206fd9669027c437a36fbf7d73657db7 |
| SHA1 | 8dee68de4deac72e86bbb28b8e5a915df3b5f3a5 |
| SHA256 | 0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18 |
| SHA512 | 2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\Monochrome\1\512.png
| MD5 | 529a0ad2f85dff6370e98e206ecb6ef9 |
| SHA1 | 7a4ff97f02962afeca94f1815168f41ba54b0691 |
| SHA256 | 31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6 |
| SHA512 | d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | a3302a31aefa69f1d4a24b4c35079430 |
| SHA1 | 754dd17bcd590a3f0707337d04150f85c43d4de1 |
| SHA256 | 2fd373b596795374a230cb1f93752d99fa24d74bf4d6cae07449e7f5d1de1b5e |
| SHA512 | 8bbdbb8b9fb31e52642288385bcb77a7dadbe5d191577cfd93e1ac4d6284c006c36ee0d9f21588c32eb4cb0807cdb7830a730847424d9145ea067c9c0a2bf797 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fcfc1946b985d4304cf069f1154f4cab |
| SHA1 | bd91b22a14d29cb9d5a3d749fc7a35b06e458b0c |
| SHA256 | 3aec8142d551f57636d37fd2d8bf08d7149b1439ecdfa59de1f887ed2348f4ab |
| SHA512 | bfbaa47b6d901b1658e73c619bdc5c64663840cbe28e84e2d82042f569db023faeb241c38a623b5572b5d858453c4a878f9835adea57d9df4b95f3624dec6fc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5989903f8f61c9fdc98ac8426fbd7846 |
| SHA1 | 9a6eb03ebfea9eea8b5abb06a24301d36ec3ff01 |
| SHA256 | ec2dbd7ccfd6a0e82a2536cb217746c23d2d993e52a2a268381aefc4b6de03cf |
| SHA512 | d9df09641778f0425ee6ad64af2cbde66342b3b2df8f85a200934f8ac9f4813a80b5fe6ff8f57ee918e60be2c5b0c62860c2dca4cd6bf57c74718f30607c63e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f53ba5266197106e4ba217b1bb4579b4 |
| SHA1 | 018b507a4b05545146a429d73511bcd757aca3bf |
| SHA256 | d528f5d8bdcec2aee2ff2275289e2e3caf6481549b7dcd82dbea710c96d36b0a |
| SHA512 | 6485695ea49995bd86d81a820e980da416842bcfef8c1cba9135920d044560f4d14f8ca2a04ca7c9f86bd613d8627b361e2af97293a179473b1bd86e4f4dc8f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e27b84a013652d85b7774d969b388417 |
| SHA1 | d09626fc677f7c275e1ea7de5804690f6753720b |
| SHA256 | 9cde0c8c46bdd910305bd4b190c1b5c6bb58fd2f651f576e58c2dd3731d2c671 |
| SHA512 | 1c617422048e04ba50eb2df842944894db3e765234a0a64814dc6c3dac162f23fb0dc7fb07608b338aee5c38a0f1ac252d043b37f69e81da24f284c35b04ebbd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 15f36a2987d80adfc97f99013120b0ad |
| SHA1 | 9d926bc27c99680ae30c7e0a38892cfba40418c0 |
| SHA256 | 9b40b9fb043d50f33959ea504c6da6ae74d76da311a1c90dab5447a8db75a0e1 |
| SHA512 | 72a1d8da5b6754bf9d26e2ddb0c3916a6adf63ce46838fc22ddeed5cb03d4cdca77fb791351343d1917322bbfbf9cc1e1f52b3608369150f5ece151205368670 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 54665873bf5e86df322c00827ccaed29 |
| SHA1 | df4d66c6a77551ea2996b5f27aa686923d9eff3b |
| SHA256 | 7e76723d6e7aa5f5dec08a1cb2a9f4417bd51a6e8097e44a2cbc44d6301e9af5 |
| SHA512 | 3afd424a8810b65cc60bd55c6bcb9de64c89eec410b4af70903be8ca68fe710bbc10a38efd5d2e65cd00ac530cd1d90c93b16448ef18458dd574a2123f6d2af6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | f07f922abf7b04a0733791528b2a3fce |
| SHA1 | 1a97a7f2ac95f9448623e20c3cdbbc4b23123a53 |
| SHA256 | 52fcd0e15f4729f5f99dc35d00b0558e288e20dfb14690e59feec3ecfa531918 |
| SHA512 | cb67cf7216ad14841e3cd83580d7537abaad1a4454f990a204064bf3effb8404a90271ba9a995656a734c17a22c968cd15363d6124fdd736964dc631d55f8fa2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index~RFe57edfa.TMP
| MD5 | 882d46fb9ffba47b7fe71311db6885b4 |
| SHA1 | 2df7c77d6ab09ac88cfd6fb9d77fd7f5598d2d5b |
| SHA256 | 1e6644717a826f41225f540a1b61aaea6e3e87e370b9eb5fd1094b4eee56e325 |
| SHA512 | 7712b0aea9aa15c66ed8c4aba8040a41b3097d30e1d0f1c1de0de56f8e5634ee5c8514f67b5b6a8b28636aac8ea0661a840113aad6263fd9cbe3515fc023bf1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index
| MD5 | cf90f9c4baefa3d240e7f9ccc60baa7e |
| SHA1 | 65837957cdd39e0b43eee34d1bd8a5433fe79620 |
| SHA256 | 7368ab9cc79c54d2309be56c957ec9c8d2e725153ce58c469fadc2101ebb6e3d |
| SHA512 | 1a62f67bca579d5824fff13b54a487eca302cec5b5e9afec4901e98ac9540a7731083627845cfe0607205f54c3a87684b8165ecb01c6f09ead2ab7108f4fb5de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f2d4b7e83464ec59b59d6ed9732a3e16 |
| SHA1 | e489f54b4f0bca8f33bec935f3f34fda04292517 |
| SHA256 | 48d540812ca216bce91c2d53acb9b04fa529c1afbd70ec67a48a0571add9f3e1 |
| SHA512 | 3f329bf5e9e510b4d17ca9c89b67f652e8b210e08974978b46cf12c03f9e4e0ee7ca74d19d5da71c374cf2494abdafef21f5f995695aa66d1df63feb8c51ba55 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index~RFe57f52d.TMP
| MD5 | 98a652c481f2ac1b832d2752cf925781 |
| SHA1 | 47cf63dbac245a47e784826024c2573abc0b3747 |
| SHA256 | 56fa5e2e2bad2adb335f2d9e9c66e7f3d61a278b6cd9fe6255fa3ab7eba7c4de |
| SHA512 | 2273415585c9cb931ddbabd1d9f838a91ec7fcd4168174550ba71bd783180df519e70e6c3b396a5b566d8ad63185467d0ab097d6e5731430886280171681efc3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index
| MD5 | 99bb35cda90b0763820c48863375ed88 |
| SHA1 | d0f9e927debcae670eed668b69ce91377245b810 |
| SHA256 | db20177c0f162b0c3c5ba0e32b7c399a8b4d96b0d8b6eccfcaed123ed6cd4c2f |
| SHA512 | 4dbde9baf6e33fe4623351a5f8426061fe71399534b21d75b8947c789c349394bb8b507675d494f70bfcf29ef86cc134f5af9a5cff60f20513c5eef39d0cb3f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 51d0c90ad91b3c23391c0b0b240bd86e |
| SHA1 | 65e0025950f1ec74a4599ee5bbb2bdc8d2af742a |
| SHA256 | 4d3ec5e67a851743f4ffc87838a760cd06e2fb27ca0ce318582cd9f08939207e |
| SHA512 | 577a260b7df64fe9dd530aee134054ef994383628112da5a7398f2a2288fbefb8f778d56cbbf16c252b9e5bf613df0d302ed03486cfde1a1aeb6bd3dd6913950 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fbd90223ed4bf8cc1c9f3aef908c4775 |
| SHA1 | 6ecfd7f6b332bcca71b056171596021d2e4594e9 |
| SHA256 | 14953feae300efe64959c876e36b08f48f12d46711c63d5c0f042f3006f83536 |
| SHA512 | 537ddce3d91a69dd0e07097ce4596ae9872e6946e5e39e5bdd4ed4e3c65bb571cf6ccb71f4652052228ba5c5319ddd77021c8bc6449a4a8cf80cf10431e09127 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 83b595eea1f72c7fe0ab4ec08125a52c |
| SHA1 | 08c69134ef0264c26ec49943ced7e248ca2548b3 |
| SHA256 | 144b4b6fab29d7f7d395a50e69f4223caf2dfc9cda582eb81c1c0c54f77148a0 |
| SHA512 | afaa894eeb8a9a3fead3c4d7a66fe46a249a7bda7642875e7347f907da4f6290c5522193c9c92316d5323ab757dfc98996231d98995e965a6fea6e0e9df8951d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 35a8158bf1d11a2e84ad34b2ddb8ff1b |
| SHA1 | 3ca9f066636fa2d5901e29ebaa2be43543303eb4 |
| SHA256 | 766b8e1564f2d48980efb863b4f1e68e12e2f69b5773382e069d0a467373b632 |
| SHA512 | f6e920329666102cc1df780dc84442f7800d0eb62f4560b4072abd649052c3161ecef7ae355543793a0810e3fc7638abed6503667fa6324298e885293d61eafa |
memory/4172-564-0x00000000005A0000-0x0000000000AD8000-memory.dmp
memory/4172-565-0x0000000001020000-0x0000000001021000-memory.dmp
memory/4172-566-0x00000000005A0000-0x0000000000AD8000-memory.dmp
memory/4172-567-0x0000000003E40000-0x0000000004240000-memory.dmp
memory/4172-568-0x0000000003E40000-0x0000000004240000-memory.dmp
memory/4172-569-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp
memory/4172-571-0x00000000758C0000-0x0000000075AD5000-memory.dmp
memory/3980-572-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/4172-587-0x00000000005A0000-0x0000000000AD8000-memory.dmp
memory/3596-588-0x0000000002660000-0x0000000002A60000-memory.dmp
memory/3596-591-0x00000000758C0000-0x0000000075AD5000-memory.dmp
memory/3596-589-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp
memory/3980-586-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-585-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-584-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-583-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-582-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-581-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-580-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3596-575-0x0000000000AE0000-0x0000000000AE9000-memory.dmp
memory/3980-574-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/3980-573-0x0000021B1C670000-0x0000021B1C671000-memory.dmp
memory/1664-599-0x0000000140000000-0x0000000140519000-memory.dmp
memory/1664-597-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 001963fde7827d92a484a1cee6e72178 |
| SHA1 | 4ec97927df44f41fc5b8b3eb830b572387d60981 |
| SHA256 | 5c39d7d4a8b9081c86d8605ce5bcc6365dd98e792d9c658d8f30bc74bb74e9d4 |
| SHA512 | b319dab98ce7164fa27bfd6c1616b0bce342a3ca55fc93d17c5c408ad3554f82acad076f5742495e81a17b9cbcd8cce9109f26f11b3744a174b261cc53f40c45 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 317a3873949725053187c11c366eba36 |
| SHA1 | a100df86e55825e5dd56ffcc248aa539b5f94d28 |
| SHA256 | b66e06dfada7b2e70b4f25263dbeb8b1e2bdd8d20851982f58c15c1b63d8791b |
| SHA512 | 6b94606d5e28fb8abadec55401038b95758077b9d9a8358abf8295dd0db83b5661c86d27db6e5b525c4c5ca419a757f4176995199d40f3548a32b13f69b3e322 |
memory/400-620-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp
memory/400-621-0x0000000140000000-0x0000000140F26000-memory.dmp
memory/396-624-0x000001B2DB5E0000-0x000001B2DB602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40yikmot.203.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 5a624fe0d3f6f460b485035054b22c21 |
| SHA1 | 2d8a3557572a4b605ef34aedbeb8173beb2c1c38 |
| SHA256 | 8fe25ed6498e37c488f3969ddafa5bbd6400ddc15bc81e8b926d03927a60f4fa |
| SHA512 | aa20e24532cdbc6b2faac5e79c75627ba8ede7ce48e262406f82360033473001e1e6d52dce7039e5669a3df3e83d7bf184c699b73153aca6017371747417555a |
memory/516-642-0x0000000140000000-0x0000000140F26000-memory.dmp
memory/1988-663-0x000002521DCC0000-0x000002521DCDC000-memory.dmp
memory/1988-664-0x000002521DCE0000-0x000002521DD95000-memory.dmp
memory/1988-665-0x000002521DDA0000-0x000002521DDAA000-memory.dmp
memory/1988-666-0x000002521DF10000-0x000002521DF2C000-memory.dmp
memory/1988-667-0x000002521DEF0000-0x000002521DEFA000-memory.dmp
memory/1988-668-0x000002521DF50000-0x000002521DF6A000-memory.dmp
memory/1988-669-0x000002521DF00000-0x000002521DF08000-memory.dmp
memory/1988-670-0x000002521DF30000-0x000002521DF36000-memory.dmp
memory/1988-671-0x000002521DF40000-0x000002521DF4A000-memory.dmp
memory/2604-679-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2604-678-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2604-677-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2604-676-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2604-675-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2604-683-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4400-690-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-688-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-685-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-692-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-689-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-695-0x00000000010C0000-0x00000000010E0000-memory.dmp
memory/4400-694-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-696-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-698-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-697-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-700-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-699-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-691-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-687-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-686-0x0000000140000000-0x000000014082C000-memory.dmp
memory/4400-684-0x0000000140000000-0x000000014082C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 55ff5316a434db27e35b898342428edc |
| SHA1 | 2d8a15f959de63e4a1e193f220f0ddf924a1de6b |
| SHA256 | 7516ffe74c45ab0ee9c41f7a511523228c637b928b10998ae41f8f3bad3afa0f |
| SHA512 | 6c7e4cb95999af30ca44461519a65a57dc688249bbd53fdf756e8200d9935c588630610ef10cadeec822edb56413de85b33c4227de71ad434fa6342258db157e |
memory/4400-714-0x0000000140000000-0x000000014082C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8e8d960298d286bb41c54f29e4764648 |
| SHA1 | 9cb2f43c02bec6d28ba1a8c4f6c23ffcb962f85d |
| SHA256 | 479ae1e89ea96e6931aef6206c3a5a4851573d4d36a554d299eb3b398fc0d53a |
| SHA512 | dbb23789ab8b65427ba81b9bd24e543bef94acecd3f325ba27ae7bba14c71a27944276dfa66467f62c266de19ada40ce230dfda6daecf4c9942c351c485ece54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c1c97a6dd430b6a72a81949e853d1ffa |
| SHA1 | b1bdd0c72669a4d2ba3045fbd6a38e3511267eb3 |
| SHA256 | 23a3d761089214bacb77866597e26f4989b59c784eefad81f0f9f0ea58e8c788 |
| SHA512 | 3f94256484b1cd4e4bff0f4d752fab1d38533b94c4d54fa6ac2a0be8295d6e8af3ea074d45a09cb6351cdf6fb1ff26e98c8de047a3b32cc65eb5a602e273d6e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0
| MD5 | d196a82469fd12e1a551b3edc811b40d |
| SHA1 | ad60592d82e593ecf21200424769996d7cda3d2c |
| SHA256 | 773175166e49b1b276f17ae641201babf362ff3f1a59750285c7fb84f5f896c8 |
| SHA512 | ab9cd02897c35ebd822fddc9dd7036ad964bbb8ee088d668a5d9483c3c25fa34b8860c7e408e08cb3bae85fc7a54987b6c5ed5526859deb64b9741d6a8262c29 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0
| MD5 | 18905174783451f915ad6954aff4dcb3 |
| SHA1 | e6f280b54613b926faca887b6d8c24f617a404d0 |
| SHA256 | 00968cb623530d55cfe5c4b4aceaf78a30b6601349b8f21035d04449b6791b79 |
| SHA512 | 7cf9379b77c0c047a1c260e5a53c64d4df6308d439b7481f777d0118ec96356ed3443e0f7e7e356f807e07c3ed1f17d34ebad68af71a8911dc5b9dbaab59c8a5 |
memory/720-750-0x0000000140000000-0x0000000140519000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 05d8060508563ca42c27ed1c4375b35e |
| SHA1 | a2cefbc418445a5368455a9e3fd5af26c54c5f77 |
| SHA256 | 4f32aedd8e39fdd3bf4be02f76cb5e54da0a4f8a48b0dcbd54fb15f0fc8aec4c |
| SHA512 | cee7d83d5f123d4420ea6ce5988fae037470a50e358ba83f2f6a54d418d6c1e4ba576165438aee180c262adc3f9527b1169bfc8150abbd3c31f84c2aa55cc346 |
memory/1416-768-0x00000000001A0000-0x00000000006D8000-memory.dmp
memory/1416-769-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/628-777-0x00000000001A0000-0x00000000006D8000-memory.dmp
memory/1416-795-0x00000000001A0000-0x00000000006D8000-memory.dmp
memory/628-799-0x00000000001A0000-0x00000000006D8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0ca77316ec4384257fbf25b9b7dc0ff4 |
| SHA1 | 89a5d6f3d4483aef71b56c060580d46ef52f56e1 |
| SHA256 | 916ed674234ddf564848ba5c662d228edb7082ada82e014b00c6297ae228b6b1 |
| SHA512 | ed25fbbe048f4207363f81b4c84d29b2b00260824c022cd0d03597f666fd04cb29ed0f6fb2d0efc863ccb9985e143eb8369c525d1d44efc7186657a51f11c474 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 84ddfd8a129439bbbd49e862e383fffd |
| SHA1 | fb1185a843d182bfcc771162c630a225dc076f2c |
| SHA256 | 712a3d4df0fad812634680e0b074db50921cc0664c06dc8fc83b16a375b7eb1d |
| SHA512 | bd40a7f0344750fc4ea77346d5bacc662673e230a01f718a9fcbddf41d8faec57dde16998d0b53e9cefe0572a99855288f628fd68f739c5907221f563561cbee |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8e8360d573a4ff072dcc6f09d992c88 |
| SHA1 | 3446774433ceaf0b400073914facab11b98b6807 |
| SHA256 | bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b |
| SHA512 | 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 82cd390c290cdd13f5128744a443f715 |
| SHA1 | cb0f603ed47c16292225da597d87e9764b590247 |
| SHA256 | f954bc998604b64ea7c29c391b54d3b03f3629b306b2620883719094ff0ad514 |
| SHA512 | 6a9eeaaccb28e6ecc971b748faec36854ede5db8bbdd689b4ce7348ec63295593625aad9618609291c68bb142dded92a619bec676261405cf11ceb104b608fd6 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
memory/2644-876-0x00000263A1670000-0x00000263A1725000-memory.dmp
memory/4724-882-0x0000000000390000-0x00000000008C8000-memory.dmp
memory/4724-899-0x0000000000390000-0x00000000008C8000-memory.dmp