Analysis Overview
SHA256
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526
Threat Level: Known bad
The file pornhub.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 15:41
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 15:41
Reported
2024-05-26 15:44
Platform
win10-20240404-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\pornhub.exe
"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.65561302\974666775" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b472684b-5978-46bb-abae-f6d9c031a52e} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1796 1677bed0158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.2009978888\1533454162" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed61d75-046b-42dd-b408-47f0dc99e40f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2152 1676ff6f858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.793737724\1704977890" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2700 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c8b9cf-158a-4ec4-b3e6-119c0ee64874} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2692 16702cb8558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.438245170\1800960304" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba649d18-4247-40cc-b15a-252907faa9f9} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3496 167008fa658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.137159032\1638134915" -childID 3 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0bee18-0810-48dd-b540-160cb489a2d7} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4092 1670300fe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.780020215\1910889039" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ac9b9c-e2eb-4aa7-9654-080ddbd88b1f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4804 1670329fb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.6.1845768467\1971945075" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8520d1-e8c4-418e-bb0b-176599cfd13d} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4912 16704f8c058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.7.1226406622\1142837431" -childID 6 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f21cf5fe-f5de-4574-96ab-aa06140f6e73} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5096 16704f8de58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.8.985399268\1830031175" -childID 7 -isForBrowser -prefsHandle 2632 -prefMapHandle 4960 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dc45e2d-b4ae-4797-9d82-59c8e54d276f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1652 16706706258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.9.224315821\434547114" -parentBuildID 20221007134813 -prefsHandle 4208 -prefMapHandle 5748 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a9c19d-cc54-431c-a28f-2110defa1fd6} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4184 16704a7e458 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.10.629507646\1741374541" -childID 8 -isForBrowser -prefsHandle 4104 -prefMapHandle 5756 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bd6153a-4c33-40b9-a8c5-464653a79bcb} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5768 167070f0058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.11.195892538\735245328" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5940 -prefMapHandle 5944 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73445504-ba1c-4d88-a60b-2c24c6fd4c16} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5952 167071efe58 utility
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | character-estimate.gl.at.ply.gg | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49989 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 44.237.65.238:443 | shavar.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.65.237.44.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49995 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 196.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.178.22:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-vtbn0.gstatic.com | udp |
| FR | 172.217.20.206:443 | encrypted-vtbn0.gstatic.com | tcp |
| FR | 172.217.20.206:443 | encrypted-vtbn0.gstatic.com | tcp |
| FR | 172.217.20.206:443 | encrypted-vtbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-vtbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | encrypted-vtbn0.gstatic.com | udp |
| FR | 172.217.20.206:443 | encrypted-vtbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| FR | 142.250.75.238:443 | youtube-ui.l.google.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | 194.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | youtube-ui.l.google.com | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| FR | 142.250.178.130:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| FR | 142.250.178.130:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 130.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| FR | 216.58.214.170:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| FR | 142.250.178.130:443 | googleads.g.doubleclick.net | udp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| FR | 142.250.179.110:443 | encrypted-tbn0.gstatic.com | udp |
| FR | 142.250.75.230:443 | static.doubleclick.net | tcp |
| FR | 216.58.214.170:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 110.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.75.250.142.in-addr.arpa | udp |
| FR | 142.250.75.230:443 | static.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| FR | 216.58.214.170:443 | jnn-pa.googleapis.com | udp |
| FR | 216.58.214.170:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 174.20.217.172.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.197:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 142.250.178.142:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 142.250.178.142:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 142.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
Files
memory/3508-0-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp
memory/3508-1-0x0000000000D30000-0x0000000000D4C000-memory.dmp
memory/1076-6-0x000001B8D8B00000-0x000001B8D8B22000-memory.dmp
memory/1076-9-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
memory/1076-10-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
memory/1076-11-0x000001B8F1110000-0x000001B8F1186000-memory.dmp
memory/1076-12-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwdpg32l.0wz.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1076-41-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
memory/1076-48-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
memory/1076-52-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3df03b7292eeda72e97180e347b03cf3 |
| SHA1 | 6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750 |
| SHA256 | a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f |
| SHA512 | 1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ffcd54dd827958b88e7857046a01199e |
| SHA1 | dd2f0f6481938dd32b56509388a411140a969f56 |
| SHA256 | 55404ea7250cb00233f801b1bb39ede1d6259c74edcb1ca1e9ca4726bc529c0e |
| SHA512 | c114fc486b76c5200923f575dc51c7994f9816c74babad2a7543b03d20801895e9ccae3d47dd0a79fa70c1796591ef5b34b555b7636f44fa364211d93d9f05d4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 03cc07fcae677bd98a01df26de18b9d8 |
| SHA1 | 964c92925cc8573ca714ca209b37eaf0c57e6bdf |
| SHA256 | 8ff34a2cfe096bf1b2318184b9ffdc4af114cb792dfce5b6f971893c1c6fac52 |
| SHA512 | 00590e6e42239912e1d815ad937cf61fd81cff97b0ddc7dba3a8edbc772293b50f538b514c789ea3463421278dbaebd4cb164dbadd8b99bc5621811223f0eb7a |
memory/3508-187-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
memory/3508-188-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp
C:\Users\Admin\Desktop\ConvertFromTrace.vdx
| MD5 | 0da67631e74dcfb5ebe8bd34906e2bb1 |
| SHA1 | 526aa368befb5da15df74285df4e553a7e5c5e69 |
| SHA256 | c8abbbdf6f6b12a869667167ca3eea41d176371d802fa87a4cdf0ad446811a16 |
| SHA512 | 0b29612a246a42d2cba38fc3a5d2b93f93d4ce3d21c70e9c47d7d24ca153ea0c12293e66adb493b12a30085d4b5131198ca9f9645300da999b53187abab57310 |
C:\Users\Admin\Desktop\DenyFind.dxf
| MD5 | 7d7d6b328041c014dbf0dd839f5d52c8 |
| SHA1 | 5889cf643583dbe340bc907cb0d327808422afdb |
| SHA256 | a726731da87d2f7021626fba239f02ef158ce78ec1d6a023d9b6f37a7f32dfa7 |
| SHA512 | 2b7fd6e109e1656dad05c6fc4b7346a5c15b95c4e0632d3340190935ab9d02f25dfd7293c62f9b0ca52c59434de5ef86b823e380e324616134bb23a65ef75ba5 |
C:\Users\Admin\Desktop\DisconnectStep.svg
| MD5 | 660f2f7d5538d4d7c4a923e927c7c178 |
| SHA1 | e766506820dfc13a8c8a8c635f334b268c4e0d08 |
| SHA256 | d14314f800e44156114ac57b342b9b6a680804be4c5ea35115891e1f486e9125 |
| SHA512 | 1d789a4174709d552f982ae4103a43f36a3188c9777d321f70c25f9756092c8f689e8206cf6f5bb7b0dc5ab5fd64f504941d751c326f51ac491e557aa530105a |
C:\Users\Admin\Desktop\EnterPop.dwfx
| MD5 | fdb68a6c677b0e598002d1a6730c73fb |
| SHA1 | 12b99218f722fa786e70333cd130a4df2bc83964 |
| SHA256 | f553911a4a7f412a96366fe3bbd388c3f5ae46603a295eb3c5904985156c5071 |
| SHA512 | a799c43ef5d170a3e8b10fb918e17c32244c8fbecb5d1bb45d3ab77af14b20c92832cf9a1bf5fa22a8a85b570d2e7d11aefd947f42b9c9f6f022d59ac596fc99 |
C:\Users\Admin\Desktop\EnableClear.crw
| MD5 | c26ba60af9929673b0dc015e60783ea3 |
| SHA1 | 9ef8d6340dcdb2a5ec64da61c9c8b9cfbbc0923d |
| SHA256 | 82610c5a89000e24c635306bd6f064b2b269fa97a08e10e02360dc92cce86e28 |
| SHA512 | 2ded22030561e7bcbfc1074e29fd0d99785906eb4d9417e42184f6317e846ce192ebb53b013f1bb34d0166f7ec3ca77785105b095c6fdcee28d04e233191a171 |
C:\Users\Admin\Desktop\HideUndo.txt
| MD5 | d319151f302da4b8be6ef3cde3bc0d8c |
| SHA1 | 9336cbefbd4028b06257a878790eda6463570196 |
| SHA256 | 64db0852fc2cebd6e461562442b0b1b97873008d1a575ca853bece004391590f |
| SHA512 | 92edac20cbed7cb50e460c6e0f543da3cb794d1529284d92470678a3dda75675db836d413a167d3f14e4310f3e0255d2749de04466888114143b405bfd3eb2d0 |
C:\Users\Admin\Desktop\InstallInvoke.mp4v
| MD5 | ff80266f63451e4233ba38b99bc4d328 |
| SHA1 | 0ec9be28dc7d2c1f13e480be44231e66d477546b |
| SHA256 | 8f76959b6e9cffc1254eb25c2f5d9c645b41a207290e1431ecba5f331df0a7df |
| SHA512 | 0fc3aefd724472d8f8364e7c3ccf04245d0d8a08bfcd85569f0b008f852e712785578e5a555ad5adbf1b5e960fb4b330a9a2c6d41b9c64510e00a55c831f707a |
C:\Users\Admin\Desktop\OptimizeReceive.dib
| MD5 | 295d89bfe71ea3171b130b149b29ca66 |
| SHA1 | 74a792bb109c453b0923e5ef4a61ae63b7d6ae4e |
| SHA256 | d87c9d7ec0ae19411b6f087e652876cb0c9d2dac8773f1b5b478018a0f0d7cb3 |
| SHA512 | 22f1d62f10bedb7c4810bac2268a3a08444d14c1f07c4ad77f48ce3b1822100ade0bf50f6d84d440d30db5aab21379ac75d25c37de9b2817c9c29fb2bc4324af |
C:\Users\Admin\Desktop\LimitSwitch.TS
| MD5 | c88b10548288c98e2bad7460ade86015 |
| SHA1 | e0e73519d3348761a92e73a826fbe6d9c16afae9 |
| SHA256 | c39863494d0850ad17b494722ac378f242483ad2bd29309eb7b2aed678382f3d |
| SHA512 | 426b41acf4b934d919a698447761ee3f3da9f260539e6f02f912a3ffff45c527be9b5210e32ceebf098b164a39cbbb9cff18225384ea6c5f1fb5247f178b6c34 |
C:\Users\Admin\Desktop\StopUnpublish.avi
| MD5 | 6ecde1f1b65e9dbf863b783e1eecdc76 |
| SHA1 | 318e4d6b6d8fb6d0bffecb3deeeeba5947f895a6 |
| SHA256 | 9dd2d0a2ef81cc5f06d99736c4e1ef818806c7622825d73e6f5057972959ca79 |
| SHA512 | 5ff5f3ae558337c937c43b7f73c95ae07e1c4ade4ee2d16fe71ac8d6e61b613877bfcc0308acde82474ba1ca42019d839c5075097dcdc3bfa9ce608db98e3994 |
C:\Users\Admin\Desktop\StopRegister.ini
| MD5 | a81d8d2e5bd893b006b3e2b085ec667f |
| SHA1 | 6edad61a0c225ac5a9f0eee73281519c76e0b2ea |
| SHA256 | 4fd0e19bb8d3c688d18548eb697f24f0addcf3db5658a463e25cc40e0da962e7 |
| SHA512 | e1419d37047664c06ae46b3fda11087f5fa067e759db3bdee01fee3ec8b1402ccd481ebf7761cc5630124593c46ee373f4131664797374bb56580a201fe2ef55 |
C:\Users\Admin\Desktop\SelectDebug.php
| MD5 | 19518a17cb26955b73a14ab559617bdf |
| SHA1 | 421c3770d2013224ef4354a7ca46010c4fc93660 |
| SHA256 | 58df27d876957eddf64050d1005c9feb4804af7e7091914481e8539e5d634851 |
| SHA512 | f44afb8b12c3310f5238e2ec281c80b9531b3a74c7e87a7ede277770f37cd2b33fc612f87e3c7caec7f5755611755f294bacce71331f4a6a067548f79855db15 |
C:\Users\Admin\Desktop\SearchDeny.vbs
| MD5 | 8a10bcdd0bf52e9a83ad166eb67be4e4 |
| SHA1 | 9eae5fd44d91db471728f88d3e1277ce01de61fe |
| SHA256 | a8069518e27e4c4cd7ee7a29ed2b792a0f2852cd186a25b92f1606d88321cef3 |
| SHA512 | 7cd2cbd81ca393dd9acf6fe5527c3ab9c6380de0455e0f6e525c35e3778ba095ab85e5182d9cca0658221c9e2d7a74b7d25d3cc212c7a81dec0596bcd72a3749 |
C:\Users\Admin\Desktop\RevokeRepair.cr2
| MD5 | 92767c8595b51bbc73fb0da95269ac9e |
| SHA1 | a83ab91fca4e8de8675fe6b2bf870624d0a4605d |
| SHA256 | 10c363fab712cef1768a41d4af258a4933af6f5cfbf9b329f9357b9d25fd4cbd |
| SHA512 | 7b5c98008e9fb04649a0a3f754549bff2f9a5654779e5ec1360e59bc71043d181c4076ca2515620b1fdd68b9f9d31e86820ec30ab675531021234fdacae75c57 |
C:\Users\Admin\Desktop\ResumeUnregister.hta
| MD5 | 2f840a77ae6175fc45a605819612f64e |
| SHA1 | 023dbd1a5a5dc89644dbbd149c7e43333e5cf885 |
| SHA256 | 7dddb253c6f2583845deb10edcef9d9af91f37bc3da54e64c7df1a816cbff08a |
| SHA512 | fab81c8517c438606907972778bede87e11d8ca20a77345d2d98b91c42c34655d9ad60be6fcba5797b2b5102dd4f3fe04d0ad17c3dcf0a329202d54274fa4df8 |
C:\Users\Admin\Desktop\ResolveCompress.inf
| MD5 | 10104564a11ca79864edfed359d4fbe5 |
| SHA1 | db198896a4909c07f34ca666df6ee0cccd0d42a6 |
| SHA256 | 0c7bbc79414a15862e8f02b2b91708d231b90344775aa15533a1d8960f7df3f0 |
| SHA512 | f9e7bd6d53a0e29ee27a50ff6e4217f8b07435459ef099fe480da0c2e71d21f330bf7a4f62965b0441f98f8795f3f37511c94a3daade564e855b734e0f7ec0d6 |
C:\Users\Admin\Desktop\PublishSwitch.mp4
| MD5 | 0e78f81c8efa781da701702cf3afa032 |
| SHA1 | 752601a9770d777d7347b397a5df547cf0a04ef0 |
| SHA256 | 1c2ebd2467d1eaa33bae67a738ef78aa117293965cb200d754d1d9266062994e |
| SHA512 | 9b92d174ccd1cb583f95cd2b69978351f9c745053774df618ce3f6fce89f895a903443a67ac6bcef857728ac165aae0ffb142cae176b4982eeed75482fcf8d69 |
C:\Users\Admin\Desktop\SyncSkip.avi
| MD5 | 1a9735d6667e321c91e8abadf1e3bafa |
| SHA1 | 2540df704a0aea72b014c82d5687c9d414428e06 |
| SHA256 | 70299e860f5bb1a125f5ee9192148839fc8e7f7ced0712cdd947af963e8e2e62 |
| SHA512 | 3635d473a04301a09c829cee8527c26638ff400631c7fcee9520f7ffa59285d23afcdd8f7ad13ececab0418e5898a3492e12cf188aa3e500f8c269065b0dcfa2 |
C:\Users\Admin\Desktop\WaitInstall.lnk
| MD5 | 13eb344d5411e56ec83b74372c3f6bd6 |
| SHA1 | 916a2c95a7d29740f1bb7a8aa252eff8efae6566 |
| SHA256 | 66e2881e3f6eee7498fa8c758d45b601dbcdd98719ff680dbad814bf42eb3d07 |
| SHA512 | db7027216d9cb94a0483d7a577f0b683dc2373fef47298a654ae7d62e9b04df969ffdeffbd88ba60ce33931aad107c20e13306915c52bdf430325f721d793de4 |
C:\Users\Admin\Desktop\SyncResume.asx
| MD5 | 511aa4197951d849d87462738b3b90ea |
| SHA1 | e51cf38577652515e6463e71e48f8dbdd6354c57 |
| SHA256 | fe19a0639d70654c036aa3d707e17de863b658f796b9a8b4c69e4dfed3138a29 |
| SHA512 | f144616753b44edec0b00222eb59695640394132bde81a4285c14932c6233304fd4f2f862cb67f236c4df5dc6652829437730301e5df2fd6375be34264d3bbfa |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 6f1e4b9ce0fee4ac3d5bbb48745d5717 |
| SHA1 | fde19343a446e9f917a5440a1fb31cf9faf4e1aa |
| SHA256 | 2c74ee14a4b44682ca938f99f40157f266bfe31e37dca4b1d56b3eadc1d1aee2 |
| SHA512 | e96980b3303329dcc882588c147a01d238b92600972a1dc59bcded4aa525341c5b5604e5ce3cadec0c49e6586f4cd6b93b693ae1b6dcedb79a0b65f5000d7c59 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | db4639b8d64bc676737a319e004888f9 |
| SHA1 | ec227b223a8af743aef253c5b0d9ba7a06a66d6b |
| SHA256 | 7a230783076133d02e4bc487853f4f73711b654be36752164157ee8da5ea6d49 |
| SHA512 | 3dbe30edd55253425d7e004dc8a16c818aba26f03a7d67d3154165f98c78c670cbc7bcaacb23697d4087fd5f78b9f823b6a53ddff68a3ab2cebd1b8fd441db50 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 059b0fcb8926d3575b1e75e4e9651ec8 |
| SHA1 | 9f15e121c9940fecf10b83b42c2b68dd0b3f95f5 |
| SHA256 | 02045f6f7a5e9ebe593e9a31cbd56c104a037857614be176c361bce229f7abc0 |
| SHA512 | 22514bdda4b816ef633a4b7a9e1bda32e1098a66988a9ae2b08a75bba7d83ac760bda0af52f6c6b8ed439ae9f124f7d0f0113751a5c27f32200b1d95000c64f9 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 17d1e9be8c3e0a93a91eec279f118465 |
| SHA1 | 57856a34eddcff41d327a9e29cc35ee28d272e88 |
| SHA256 | 6277e131e69c7fb06bd900d6163707b6e832fe3cb2952368b354d16fcb999033 |
| SHA512 | 1461845bd7e6823e82c979ec42921fe297fe8a3e0a37643ef4655931b9ba03f92588ffe5bf9768a05833f64267d9e24c4ee191982f9c7c34e4f9ba1f135ad1f3 |
C:\Users\Admin\Desktop\CheckpointProtect.m1v
| MD5 | e911d5061fed57806a94a208b9114a17 |
| SHA1 | bac9d8ff9c960b9cb1f68b51b207488650c81e5c |
| SHA256 | e89f1d2899a044dd6e8346879d0dca269290d1353571bcc935df319336b2d59f |
| SHA512 | d2285c67e62937f510bfa6da9951bf22d87d25345894013eb5b8d475bcc75761bd7ed2e10f174472d755ff7bc1bfbe80ba3dc650ccc52ed24226b61ef94d4ef2 |
C:\Users\Admin\Desktop\StepUnprotect.TS
| MD5 | e389ddf177c129da892be16e23bbb9e1 |
| SHA1 | f655e81f75af1ae087b26a56a3a0cbcd60bd4a5c |
| SHA256 | e9b9c60b606a5ab48be67e41a18110fe3b54aa4fa1edaaa2ac13f73a4e926328 |
| SHA512 | be6c4cadd0a6ceeece949d0f8e5c2a413da00aa8dd9a8d433877e8bd7d1dd21f62791eace48f4df2b92224fd242b052234d872db786801578687cf8976961671 |
C:\Users\Admin\Desktop\PushReset.3g2
| MD5 | a623796146e6485d2b13205d47fd2415 |
| SHA1 | ad3379338688f3dfbdf87710c74a5045f60f6d0a |
| SHA256 | 8552a6421cb4b93cc34f84edc5552561f81e0c6fad2ff2794e77be71b0f3d093 |
| SHA512 | b91b12f34961e8f7a77589e2077a7633f84bf545f62f7efc00ae358dc9413e924e25a477567d04cb39e6559635fb49e043f878c7a318e0640eeff6f6fe7bb706 |
C:\Users\Admin\Desktop\ExitClear.scf
| MD5 | 9ec1f17961ea08f47cdb4e1552a13e97 |
| SHA1 | 9e769d137954febcb40e78063aa9a9fe53e073d6 |
| SHA256 | cea902ccdd222ce8885476e6b0364956f8e3629cd614c3c05568a89cddf543c5 |
| SHA512 | 01e4a06ada7efadbe7272fe15af47cc1212e8003487dc093b0bf8f653d45554e643d707ec8e5e865ba9ee1150ae105ee2d223741d996e5813770ef281c74a61e |
C:\Users\Admin\Desktop\WriteInvoke.wm
| MD5 | fdb4a269238f136cb1f64c33cb0bd783 |
| SHA1 | 720f7c8841253726fe50fa4fee37710ca447a593 |
| SHA256 | b4e4a690fbcb1aa64f619f47cb399c2dd86d87e26863e66f7dc4c31e9e31a867 |
| SHA512 | 2dbceebd9a5a9953f7aad573ae5d80af97ac482e3f7ffa6863fb961a10087d2a95708e37b263ae2f8fdce04064af405d470df62f095a044683555fc54d076862 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\2039f202-ff63-4624-b19e-de3f4112357e
| MD5 | 80e190ead2ad5aa2b73a5d55fab7fcfc |
| SHA1 | 176a7a5dea773b96c26b8cb660643a3798189fa8 |
| SHA256 | fa7aea8a6a8ad255635bd35fd53c2d4a2efd82bebba6ca1c2a560e7d3c4ea442 |
| SHA512 | a54a4e3faaa4bd713921239c4b0c98d4bb32bdf24ac4eba0f44ca7a9395d20c5749514c04d7290e2e7d6f541c65d2703f3493cf94d77a16c51d5c77138b68974 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c1bfb18f-8506-4d9f-b92e-b635bdcb1e11
| MD5 | b36713939f4b70ec25c7b612d51721b2 |
| SHA1 | 8629377ea070f3a4fb7f7ea489a98c4244c425c4 |
| SHA256 | e120e6ad3bd808efae8cae7aef761b3d28eabc46b4801dfa9ce7720d5268b872 |
| SHA512 | d0b11b5a9248bb3de73a1aefa46f5fc6acc90c41ff4f1a211304f4ea0761c7d3ac848e89bde7f312b8d7801d2a1dfc3eadda3fb7251f4cf84660289f03f6eeaf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 678382b730e0f5aac919f0431ca52364 |
| SHA1 | f48d445b92663a6a55975f9a4704db2f78865bbe |
| SHA256 | bf320d1a0c11b025512e393c20486a47689ea2df6979a330fc9d2b636aa7e1a5 |
| SHA512 | 5943f154c3225b02aeb3db49ba49221ba9e395e60c8a7b29a4f61e3601b69db70b35c3d66b8bc5d2cbf2ef0df6183dec4c19e653644edc6246f4dc016f113138 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
| MD5 | 48e70e627459afc3eb24dffe216a690a |
| SHA1 | fa5c8d1b942d4a2ff7d7dcc74b941da03dc28492 |
| SHA256 | bdc176f73a82c972cd32a53f7d6d4c88e2eca12a800dc60a2d068f72fa7e7305 |
| SHA512 | dc013ceb43207da668eb16ec626e5d9adf3b73db9b3753cc6a05a64cb7250cc6f9926e04d34b29c1763513578ac10417ad82bdc366ffb55ae515c50fde45cf93 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7f868e557b098795d645df9ea302427f |
| SHA1 | 001f3306144559b4049a8ab139b4139f51e59c0e |
| SHA256 | b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5 |
| SHA512 | 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a552d729e0774e3f38a9747c3e7de4ff |
| SHA1 | 6f74e2708f2fffd9d69ad10e8f526b89da11e7c2 |
| SHA256 | a779506ef649add3a3b704b11fa8fcabb1426d2335e6c63452c20da6ef24c6cf |
| SHA512 | 151643b8face85e45f92038bf8f9dd33adabf8f9e8591fd1417e83cd11bb2490c11372f57d2475c7412aa23f2ad7c3c74ad4187ca53d4f49a43fcc9eb94f16b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 5e2f273ee3f26e100332dcb28ed18eaf |
| SHA1 | 73f19c35508030440f2df57b36502aa556b1f59d |
| SHA256 | 298b338ea56cd0ab7554b2fcc65c8e11d780c31cb8855d1857cc35280821bfed |
| SHA512 | b4abfd3349fe859dcf25eed875196cbafcd1cbf020e7264f14b0cd87d5baf9660448ce37844b1309efd50c8ec587c20da7b1a82c8b5a305abed4e175188e86d4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\3706
| MD5 | 4874273708b329665351e8898662f3ea |
| SHA1 | a8271ef039b5258de0a1888fc1ab432292cc2cc8 |
| SHA256 | 251422b381c3a9859f51d0813d557da85fa10973d7db0cde0f4808873dc12abb |
| SHA512 | bd101e2234020c09de40bc312a3834c8e7d481f21e03348ed0104bf9b8171b7f4ac906acf05aa4c0ba4190c5c2bd30170a8816fb4efb820adc9e11d69813b47f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31862
| MD5 | 459e73884a6d5a55b06f66f3748493a1 |
| SHA1 | 2b548c7e5e8451623fcb2ce798cbc157ce4ee00d |
| SHA256 | d9d413c67364dbf98ca4dd5941723310485c36d4822bfe64e6abcd7c5a571b30 |
| SHA512 | 62b69004c5f20d828d6010d056b43b10a0319878ef86eae335c1aed561b55835a512492086aac03e5dd2f08abcf06647c6138b30577bbf1c8d1e2d69a825b7e2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18799
| MD5 | 3e71e8da5d551801ed2d8a5d2a69b93f |
| SHA1 | cbcd22b0eb2ab924fa0ca8e173d660c53f87df67 |
| SHA256 | 99ecc1a0bb78d5a9e1ede139aa5c420f38a1cef7b08a32be052ff9bf508b46c3 |
| SHA512 | a783d7953676a4f771148803d1f2f5695ee3138f1c1e55db585cac756ad6040a2470b5e75176fde399e836c4e26db45f7700357ab9f92fda1e48dcbcba015794 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21840
| MD5 | ffa98abec1cd058ac77b4707c5019c23 |
| SHA1 | f890beb0f37450f7f81328efdf61c8f789882fcc |
| SHA256 | 9bc78d92034d211da8bb0be4862b533bcbf4d26dd00f800286f31d2ffa36e921 |
| SHA512 | ed56dbf7020b309425d42d3dba8eb99fe24a6d4d940f4eb5aa15a7c158417cb6b6f25c9d88fbfe7673119c59e342b3c607a8aba2654a7cb9ddf81e347c2f552c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21616
| MD5 | f1089602ae8f6a99a7b4f021b6c2cb1a |
| SHA1 | 2e6d1f62c57ef41964735033fac43d0ce8175e11 |
| SHA256 | 52da9e67f8a0768ec335881da2b9915a23ae8731b0e6747146e0421c3752179e |
| SHA512 | c805b34615285abb1b3732cf0cb7673472adcc0e8375bc8632d10e1aa2d175fac2495c5f8f330e7095db2ef25db6c1baf1bfe305719f477cc298f55308b9783c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21650
| MD5 | 2cc770b3a14bb958eba5c904e196a9de |
| SHA1 | 32f0ab3a59b3d4a1c07ecd3866d5f50cfa7d6c02 |
| SHA256 | 47c40a0b7ac3561cbfb312709d9a2ceae7879b68bb6d30a131725a58808c4bc4 |
| SHA512 | 378c9e61c5c779ca4d7d87d13dca47ea0d52a17c0ae3d554fc91760da29751b9e773ba6da1d7049dc6b643ad2d4ddddcb983fd68b5eeec0fa4955d0783970efb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\11653
| MD5 | 7fa1bba94908d44e221e5a7a91b4e647 |
| SHA1 | f2cd7a4d378cc4ffaa2722d80024b794228c3870 |
| SHA256 | 9e3092004bd23dd874849f6e09efdeb0af44e20c689bdf0369771e0f32f4080f |
| SHA512 | a3725dfa927ae5459245f271c2a02d71a4611e3d6a607f089b294787fdc2278a111de9670b0463f2d282e99684ec53c85e7a316de87a7744d0219ebdbf04c102 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31583
| MD5 | 13fbe801c1ad70a6b88484623effca06 |
| SHA1 | 6a65b1147bb0edf8d862709ba086af9abfc22a73 |
| SHA256 | b8246b5e3e1935de66782a7892e9e2f763fdc2a63350362cf958d678cb3bcc5f |
| SHA512 | 1b574c6a31bc0fb34d9593dd87f984ddece2d167a9176fdf3e1c4c34c13cde71255c0b03ccf82ede42d4b681b33c8a5beea89f448da05515e1670ca831925fbd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18072
| MD5 | e875e80d1ca157fa33d33fdc86c93fd0 |
| SHA1 | d3fc9c7694a147e0d49b601170c92a1dc1cec23c |
| SHA256 | 38a8641f92b3f37ae55413c0fd2f60b9551ddad994c2aa1cd3dfb922c4419da8 |
| SHA512 | d34e7c3727bcec7196c82a49e21ad8ee33b4093f089807ea5bcce956eea87788f276b4b50e8f54e33cf9c9ca90cac6240e029de0e20cf7852198bbc43d4be298 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\28542
| MD5 | 5c8523edaff8cd24e111e735a47dd0ac |
| SHA1 | 7fd940d74c29fec166528e752e469d01c53eba72 |
| SHA256 | fd08542992d7435e233dce7067037381f1642543f0afda3a588e0f1f3f558d90 |
| SHA512 | 40dd54387fa921a62eb919824734de788f65339ab608c4ec111802fa2c252c32389b38a00add6e9ebb112b000813f14016974eb182a6c2dcda126f6d0cbb279d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\25276
| MD5 | 5a2c3234d645258487faf165c6137727 |
| SHA1 | 63a5b410d1b344d56e15aa4f583d0bdb92c2e47f |
| SHA256 | e48921e9ab4e289a597d3382d2d4e6b2b78edc8c5a6382d3f93fc1ab002d2954 |
| SHA512 | 56e7929e28ea971f97af679f9b1641f268ac0ec4f16c88d0bdd4ea972e9a19107d6b1e61b2c7a8d1bb3cf7328bb8fd0ebadf64e190320d531a96fd8f60fc16d1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 922d69a3142032cbbc3af5a0d027be43 |
| SHA1 | 4c766ec2dd83d9ca1a6e50a8afeec1d17a28d7a8 |
| SHA256 | c49f11f737c555758cba508b6e6ed2f2c8561ef3b5c506075eba0a401184c05a |
| SHA512 | c9bc1cb67de823014ae51366b3e0e39259b253cbfb91a6f8585d265de91cd27f1cc39734794bd59db908527ba22356d837586d09bfd2f4821b243a9c0df6bcf4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 28cba90ad814ffea902f2d0b3864777f |
| SHA1 | e123c0895f52ba86b8b7520eb983c81fafd37521 |
| SHA256 | 4f0dacd4383d39da115748b4614436a1b95fe84da14814bae38e3be1f3ce6fd5 |
| SHA512 | 750ef68c6e0658a1ebabd45ab1bd5a53b49fee0dea565963717b65dafc2313eeb4342a6de414924f9c8ce82f7766d52be8b632d963385cae4826f8edae5667d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | bcca65a489811c5ec11b9621d1eacf42 |
| SHA1 | 12e336d2ba9cc0ada739935d05c7c1c1b659cfde |
| SHA256 | d29da7d252a4074016b8da18dbc9a8c5b2628ba8ddc14697415635cc918231ef |
| SHA512 | e346055ed51e2cb94f7455ef9fce2f4273e45fc2c0ec455e641630c91eb32700e1b603d5e2ba477862dc84693839246ce8720e3707659072fd7d0cf40a98c115 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
| MD5 | 545992bcc3657be95fa22ae18cdf8807 |
| SHA1 | 441c85f5864b6b86aaaa0c1e516d1da21c7d3c46 |
| SHA256 | 0baef5a6540bfc1143b1eb8f3ec9603cdc5a556b4c4a0892c7592ca81680f6e3 |
| SHA512 | ba7f47574d4e6836c225901db43cb6f5140f33a17271ca9acdff45355f4237896da3bdeb1ecfc1029989f42f43ad1c9c98edd8a4334bacf48cfa895ec5f19cc7 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 15:41
Reported
2024-05-26 15:44
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pornhub.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pornhub.exe
"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | character-estimate.gl.at.ply.gg | udp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
| US | 147.185.221.19:61192 | character-estimate.gl.at.ply.gg | tcp |
Files
memory/2904-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2904-1-0x0000000000FE0000-0x0000000000FFC000-memory.dmp
memory/2948-6-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2948-7-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/2948-8-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5d56f29f3a2afb560ecf73a9607d7139 |
| SHA1 | 3ecc10a517295bec0038aedd9d0d0b42b8d456cd |
| SHA256 | d722044abee8c77949728b20c487f38aad09f763fde45edf79f95ad65f88198e |
| SHA512 | e261172c5be24986c84d147bc3b8283c41ee0d22ff7eca330294649909694861f7b35425164b91cb50952e038dcc23548375a497fc87d25f966fa472cf401879 |
memory/2612-14-0x000000001B220000-0x000000001B502000-memory.dmp
memory/2612-15-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/2904-30-0x000000001B210000-0x000000001B290000-memory.dmp
memory/2904-31-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2904-32-0x000000001B210000-0x000000001B290000-memory.dmp