Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/EIQhKd was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
NTFS ADS
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:04
Reported
2024-04-06 22:06
Platform
win11-20240319-en
Max time kernel
85s
Max time network
95s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700 (1).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\WinRAR.exe" | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569147218595154" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\winrar-x64-700 (1).exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/EIQhKd
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbec9c9758,0x7ffbec9c9768,0x7ffbec9c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4512 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5392 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3776 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5424 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\winrar-x64-700.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar-x64-700.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRAR.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
C:\Users\Admin\AppData\Roaming\WinRAR.exe
C:\Users\Admin\AppData\Roaming\WinRAR.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2632 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5008 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5528 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1812,i,2399966294164006577,12914757082538868185,131072 /prefetch:8
C:\Users\Admin\Downloads\winrar-x64-700 (1).exe
"C:\Users\Admin\Downloads\winrar-x64-700 (1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| CA | 134.195.196.186:443 | store11.gofile.io | tcp |
| CA | 134.195.196.186:443 | store11.gofile.io | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:15158 | cell-calendar.gl.at.ply.gg | tcp |
| US | 147.185.221.19:15158 | cell-calendar.gl.at.ply.gg | tcp |
| US | 147.185.221.19:15158 | cell-calendar.gl.at.ply.gg | tcp |
| US | 147.185.221.19:15158 | cell-calendar.gl.at.ply.gg | tcp |
| US | 147.185.221.19:15158 | cell-calendar.gl.at.ply.gg | tcp |
| US | 147.185.221.19:15158 | tcp |
Files
\??\pipe\crashpad_4672_ILNLKUHPPVCDSLGP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\Downloads\Unconfirmed 599297.crdownload
| MD5 | 34e36ec9176dc6257b280063f1b4438c |
| SHA1 | 354f64c67a71dfb50b30e69ac8066ee9d77f3694 |
| SHA256 | c08f0254bdcf72f3c24154aac9b72ea08cac1842d516372ece78ff71db75f40b |
| SHA512 | 1d80869c4d6d312754a7d930f78bf444006faef826599f7fddc087ec1e8d292a6ee69fa49a63380491c235c9cac41c84c71d59019f6bc5d2314498e259fe86db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e330bc264904b293d5b54a957bc5dad4 |
| SHA1 | f456b8a8b8916f350d23c7b2b3a011204d28c6a0 |
| SHA256 | ebf85fe9016a9df912f92acb6ae9752cd08f8aec4314f09b873852e430bbeb17 |
| SHA512 | 818c4dd1167646a47647ee580e8fac3701e958d077fdeff4a175843ef4cc11c41c767ade6843e6ef366e86d6aa0a1ba3ac3e0afa10dc71ec358b12278cf411f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | acd61a4c28f9f636f2746cd4ce768b6d |
| SHA1 | a756daab903ed898f0acd24960e3aaa6b6145000 |
| SHA256 | fa045f9c90422645f27af3d4ead3db7e7fcfec800b8dd5afab14b46fe15020c9 |
| SHA512 | 0ffc69c2eaec92cb9f13352821f99a6fcaa032338ff7cbe5ed971eac99f18fb7f88bfca296742e0a4d1d8c92d832f6785bb9c5333d31e36947d7d61256f50e9c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1dadeb75aaa8844cc96a1623d00ef10e |
| SHA1 | 0b8f8a782dc32ac3a7909f759c631ff2369c74fc |
| SHA256 | e76bd4b0259e6d41f95393e409f039a249bfbbfcf1445c6d51f0ab454719801d |
| SHA512 | 4f54988705b19e79f099cc8c936249a6dc1cc5a5a39b205cb156d52423706f3020aa6afdc03a25212739ead2cc61bac2235977b6d58db33641ec896da8925e1d |
C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier
| MD5 | f328e184c322cba91dc3c014fe2ef3e9 |
| SHA1 | 2aab1f0a70009051dcc87350e0f3b079da02fbb2 |
| SHA256 | fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d |
| SHA512 | e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e |
memory/5816-82-0x00000000007E0000-0x0000000000822000-memory.dmp
memory/5816-83-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/5816-84-0x000000001B640000-0x000000001B650000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | cace32238684af5ada2d6fb443e67b3c |
| SHA1 | 75b16a389199a18cdeb0249429da163a3c0d2333 |
| SHA256 | 30e69f631d459433ad9b4ca73fbdce1b56066e8fcb194e05a5e8e876bf1d9bf4 |
| SHA512 | 59ac6220990b1e27d90a72c8303f99228ef04efa9075c01bcf5331820b3a4d2f82d4c29030dd4ce0698f9226feb23065a477549dc2da55d89bb64da65c88fead |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytletl2g.qhn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2244-98-0x0000025FD6E00000-0x0000025FD6E22000-memory.dmp
memory/2244-99-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/2244-100-0x0000025FD6DA0000-0x0000025FD6DB0000-memory.dmp
memory/2244-101-0x0000025FD6DA0000-0x0000025FD6DB0000-memory.dmp
memory/2244-106-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a12d5fb45acfbd610f0814fb9f84a887 |
| SHA1 | 1a3d0a733a2bf574d2f4f959d626d9f2243225f3 |
| SHA256 | 827720561407e40aea27533fd27b40cb3e301de8bfaa2ef52f9b8d84debea030 |
| SHA512 | 91cd257423a0cf960536ca4c091f0c30eddf9837b3d28917ef0b05121ecb2f3073dfecb470e545054e7067913eb10572f146d4f4e917909ac88b092dfb3e6ec0 |
memory/5204-125-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/5204-126-0x00000288BC2E0000-0x00000288BC2F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
memory/5204-128-0x00000288BC2E0000-0x00000288BC2F0000-memory.dmp
memory/5816-129-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/5204-130-0x00000288BC2E0000-0x00000288BC2F0000-memory.dmp
memory/5204-132-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55c3182f79d22e88e11083be1ae6d7e2 |
| SHA1 | c55454793926458d634d95d08fa90c118e8d186f |
| SHA256 | 2b68f4583bd03195fdc0a05fa7c48b4f0b830533649a9e2e840b171db70fddf7 |
| SHA512 | 2c1df7b88073e6d8ef9324f072ab9023d3d3ab2bf9e27ce99b63441ff5032b5eb3615ff767aa7637c307494f8f876c14c52969319ea934cd48ed3f474d077792 |
memory/1152-142-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/1152-143-0x0000022940560000-0x0000022940570000-memory.dmp
memory/1152-144-0x0000022940560000-0x0000022940570000-memory.dmp
memory/1152-145-0x0000022940560000-0x0000022940570000-memory.dmp
memory/5816-146-0x000000001B640000-0x000000001B650000-memory.dmp
memory/1152-150-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/4684-159-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/4684-160-0x0000023A09D80000-0x0000023A09D90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9375eb7f256d722afeed92f364335bc0 |
| SHA1 | 610a112f50031b97085e8fee655e2e6f2ca74261 |
| SHA256 | 4ed9b9f1538007db7bce56c9d68fd32a9e1fc6f118444f396f5b4708819b3340 |
| SHA512 | 0fc1f0053fcbd372d19ce7d99a7a02bdbe7776176d852e2620177d27c5a188e99061d6c879c1ea5fa462cd857c9a4ac4d3b01d4a661be79d4984ec01dfc58e5b |
memory/4684-162-0x0000023A09D80000-0x0000023A09D90000-memory.dmp
memory/4684-163-0x0000023A09D80000-0x0000023A09D90000-memory.dmp
memory/4684-164-0x0000023A09D80000-0x0000023A09D90000-memory.dmp
memory/4684-166-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/500-182-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
memory/500-184-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
C:\Users\Admin\Downloads\winrar-x64-700 (1).exe:Zone.Identifier
| MD5 | 41a06c78ce4b76a37b7b72efa6c6f0aa |
| SHA1 | c7b0fb06f323c60f8ccf0c1494a0a8e8e349a610 |
| SHA256 | ca6401b540a7db3d8f0cebd618af3221243cffb96baf204e63dde5882dbc6a30 |
| SHA512 | 76a8562427871e0aa91c67ca3ba18c474dba31855cbcaa8b68781510ecea8df744eedd8ffe61df26801029a1b91b10d115600abbda0c8348175f83091c084bd3 |
memory/3464-208-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f614483-bd9e-4bd4-8963-c3ae9cdf18cc.tmp
| MD5 | cd2167be4faf2e1513e40cfcfb46e1c1 |
| SHA1 | 2a59e1f50445e851b0983044e41fcdb9dbc79553 |
| SHA256 | 38bd5bf85e73a13a6af21a2d1975a71f69cdb25c35d47fb726c106bddeadcab8 |
| SHA512 | e4449edc286326b54b31f23bfb2bdf0d93c7fa4c741ee3f88357400da3c0b11c29e50ec670b24ced16a29c16bd4c5e17e3a0dbe4c17ec4eb44b301191d67150a |
memory/3464-220-0x00007FFBD8480000-0x00007FFBD8F42000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b8e3bacc2b62d63d8b33391daf592de0 |
| SHA1 | a8945947e1e57b7dd820f2ce0586a7caead86f4f |
| SHA256 | c338e04331f2bfa99985d71294fd1c1c131b9ebc9cc08f52fbd8fd2a06ab2c65 |
| SHA512 | e73f8ddd32a58e3173f5ea1a503713925f89bad9a9526755af4c889288f2ccfd793bc5512a444c0d7690004ea24928e80d43b1e8a87d8ecc11db1ca800c32fe1 |