Analysis Overview
SHA256
68535d5ca02f0c0bbd40b4ec132111abcb835945095498bb6c5eec282042818f
Threat Level: Known bad
The file receipt.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Drops startup file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Runs ping.exe
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 11:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 11:19
Reported
2024-05-30 11:21
Platform
win7-20240221-en
Max time kernel
122s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1428 created 1176 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 1428 created 1176 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 1428 created 1176 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | C:\Windows\Explorer.EXE |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\receipt.exe
"C:\Users\Admin\AppData\Local\Temp\receipt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Adrian Adrian.cmd & Adrian.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 824903
C:\Windows\SysWOW64\findstr.exe
findstr /V "RELAXATIONTENNISYOURSSCAN" Seek
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Measurements + Asked + Report 824903\t
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif
824903\Suse.pif 824903\t
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & echo URL="C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & exit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | PVgQNHszldiRVxJpoZszvCOlfluc.PVgQNHszldiRVxJpoZszvCOlfluc | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| NL | 91.92.249.142:8989 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adrian
| MD5 | 669bcb845485adbcaed94cee013b506d |
| SHA1 | 6c4e86b2fbd3f1d1a0ae44403a7d8617de533dc6 |
| SHA256 | 879480c9b69cfc918318d9cedcdb5c06038dc1108a9cf6ce9ef63eff89974757 |
| SHA512 | b8719eddda11472f8023b6205b2f225eea1aee861161906b1a6002143b3493c844cab2e315a386d88fac38341860c60be613ded40a073984e4b496942a6dd469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Seek
| MD5 | 8aca5459b5f158e0ed914703c45bd5b8 |
| SHA1 | 44a0c6306ef7dcbd45ddc1d3143badcb8db4219d |
| SHA256 | 79187028f716e643081f3c14e5cc25ca6280ef8d87b1913663c64bfca1b46a47 |
| SHA512 | c10a6120f108671ebe38b38580364dd2565088b2cf7d7fbba38f738c7424eabfb1362fa765e21ff713affa30016df97f26af249fa85523e38f7236ffed4cb186 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Planned
| MD5 | 99012f57b2e272c1d30b732d3a9f17fd |
| SHA1 | 0f166ffceed30fe753799bd7fbfa4852848f72c2 |
| SHA256 | 4776ce1bebd9bc4890ba149d1b6a6695c7e9d8ac95b932ffb58f02d5f4d14875 |
| SHA512 | f12b81498a5e71edc47de26706b924e5f0f48e4a1096632c4fbf3a286828ea1c09ab04e6dce164df885bee081d5bdfce18def9d43ea1123b4415b4864e3d8fb8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Me
| MD5 | c58fc578f490d1ad28c01b6080af1259 |
| SHA1 | 114fd98f30a53b122f73ea6466d6cb68fe2f0896 |
| SHA256 | 1ae3afce9c7787b42ae8b543fc5412a99a7ff2540116b59c4c3f8b82c75742fa |
| SHA512 | 6afa9b5ec23cb3936fc2a2fb11ea2d63f61ef08ee777a35844aa5209438c52f00e256f42f201eda31fee055f166be2b27a38ab500d1176c5892652800dcca47f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Activists
| MD5 | 05bf8eaa80ed61c659b29fbbc5210e15 |
| SHA1 | 09d54bfe876025303f5f6195adfd3deb9e009695 |
| SHA256 | bee181608b58e65ae70586ce1fea3f8666adbdf180c7a2090e0d7a76307436d1 |
| SHA512 | 7d528b570d48d6d112d636924ac3f2812332a3884c90113fb787c3958ed351e75ab2bb77203816712199bd7310e8e5b0bb70d0ce8809ab088e8464386ebf114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appearance
| MD5 | a02321b286bb90393ee73f07182af12a |
| SHA1 | c4e4bdfccd9754bea38d42a41be8a36e4efdcfd9 |
| SHA256 | ebe905d945c10ad2aa3d31e6faac37fd119e0000b12111b99fdaf436506a6a6e |
| SHA512 | f6b0c2a5d4b773f4f2769cc31f425ad9d1420187ab757d7bfa131612419efc81a98d2358920a0e4e2de08d16ed3907fc8620895822d4c0a0e4372bdcd21fa025 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Accidents
| MD5 | 7c2436e544a3abd424d29343a41366d0 |
| SHA1 | 139e3da90cfca5825161ce8f5af519b1db2c95c0 |
| SHA256 | 01678427aeec32aa7babdeeb5804a48c77eb4b0a8ce75dcaa9dd603a5f27db82 |
| SHA512 | e4725d4ca1b865fc0eb400fa15fdb06a66378c87819447443322a4eb55d1ac8a2715cdadffae10fe28c141fa4bd98aba1ba7a8d53e19ef0ebb9ec775e88ba511 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jamaica
| MD5 | a39644e2ce927c92272cf8107fb3327b |
| SHA1 | 26c8d5eb1539b64398d9b23913a05ec070773f9c |
| SHA256 | 85d4421aee35da360bb53ae599549fddb4b1463d36770db3fdc1ffb89f985fd0 |
| SHA512 | 015ca51a93ab2ffd345302cb0948ae653b780effc08bd86aea2dfd8098a2a48c94c817059b55dd5325ebb8edcf81ac0d052df2b1ac698f9837bc8272f0786449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Persistent
| MD5 | 8d2121bb8a9b7ad27e69e1bc957f8979 |
| SHA1 | 3fe2d692d2af03c4d36dfac9f3fde4d00edc1716 |
| SHA256 | aaba07f2e70929d5f4f3912dea2e71495ebca035873037afb9a9a3f678fdc7cf |
| SHA512 | c4fe975c8ee22a53c9131b231612591601035b9401a8f88f05dbdae3edf198d9c119c055df5f4bf44fc1e42ad9a49819a791e412460f776b552a2930bbea84e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Numerical
| MD5 | 6c714307641de8c93d261ed9cc77646e |
| SHA1 | 6cba8af80995c69b1952cd36c03b70dbfeb8cae2 |
| SHA256 | cd65eb96896d272cbc5b0983ab6f4e22531234b8d135a74775a6e1cf373b9018 |
| SHA512 | 3fa4f131d511de5bd5f1cddaf888a214e152444045ac1495f2f643aaf6b36d866a81867a53006e6eae6e9670e53b2ab06b84363e1f05dc5efbfed00b014d9a9d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Calvin
| MD5 | 4d19078157a311f1346f191caea7e509 |
| SHA1 | 8121ad256d953cd92cf8dfa9534c1b6faf997832 |
| SHA256 | f6f2c4c9ed18d938a44faeea9da23c817f0fc0768c4aab5e4440c68c16f703a0 |
| SHA512 | db30db32616d0603584cf68691af76f814da57ff1ed0e7914df796d688fb262239041d6089b31f27f09d8f306718b54b3a65070999890becb716672c43c10822 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Endorsement
| MD5 | 4a26c986918b78352da428c9880ca685 |
| SHA1 | cb2f1211d2f87f3b9494d0a83f574b1e58835184 |
| SHA256 | b327e7db0d1ac5cad2b1935a1708bab247664fb009fd923a1153933d24a920bf |
| SHA512 | be84ac35b5d32899fc2a5420df08ffb45eefe510e64f08a7ec9efc5443c18496a679bf4b277754ffb43915e5681bd9c2a628c10b41f94504aa9ed2988225012d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lesbian
| MD5 | 619654a36360c018f16e384fd1e6b387 |
| SHA1 | b232c087e34fda965d6f88bde7a35664d796f1c3 |
| SHA256 | fa44132bde285d5768d4d952c358b40469304aeb3b66ee8cdb4a54fb575d40c7 |
| SHA512 | dca163feea318903e535d899300df1d7e9ff6c1639c166c0d4ba8060735f081ee931e613b218cb9aa71f198ad9d9569c6dcf667265b904519cae8b8bbf5b71e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spring
| MD5 | 72f0225d667c4395eab1c35726d56f36 |
| SHA1 | c57f5a6d4953b7b7c8fd9fe1c1217b880ca4d9e0 |
| SHA256 | 7b69034a324e195ef42af77762c22b5894b9b36787942fa2cb42390c7d30673a |
| SHA512 | fc7bb12e8984d9fc7ccba5c3ad3b7f2d84ab00a561c0a884d2bde15b8b990bf5682615f49ed0b8ac609a6b5c7e2ac06fc363b852b49c9ba64759ba7b6204ac6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fr
| MD5 | fe66f07a1dc3527572e662308b33f2d1 |
| SHA1 | 8eaef41529ddfc9ad45df088b40265d75a590546 |
| SHA256 | e68d5a6047ce198cc348da288cea64dfa8d3cdc534bdb095b123b1c796fbceff |
| SHA512 | 2f6c8e2c1ece9d69f8b7707ee4a0ff9cef3fba652c4ab22172f756563ff2d016326c7e62629d4af11920c7251de4ea78f0b26530340bfca18b1288df5ec2cb0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Information
| MD5 | 2113d64d2825d8f335cb97226dedcf21 |
| SHA1 | 717127436c7d315618099ef3788b4f8a2efb04f9 |
| SHA256 | 3c83b5d248f30faf27709bf466d8410319d42f31dd02767c2a6cf35488e87578 |
| SHA512 | 9170c1150a348badbdab5aa177f2963bae784e55a22fe273cf9934ae82581c43b80230e4535dc2fa21e7b421712790bf4326aa68c166ed1ade802d0ff7a3ec7d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Education
| MD5 | e0e36a8fab76f17638d4c66d7bf47387 |
| SHA1 | 41cb341f8d74bdf6ab2fcb6c5de2ef0fe4f2a209 |
| SHA256 | 9327b77e25664dcb9bc61d4af63acc998c528947d4628bdb59c8c3121f6c74af |
| SHA512 | 982105d230869a83cc7b002ce928720967417206bb0d748ca860dfa4c167554dc271756e1f5ca773490643a1d4c77383f287135202c40b1d37f4b2bf16998fca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Heart
| MD5 | ef90eff38af57e222a94fe9445264f79 |
| SHA1 | 15022846a434e73984808b3d844beda2bd794e43 |
| SHA256 | bf042e2854f6545cb3a1bf5a18e010ed72428a1d120655d5452264eff6c7c5f2 |
| SHA512 | ce96d72a17ec59dbf51dc1a30d492e45bfd09595c2938b7879308f727792d538fd92f345a2e23a14c3aad5a3f14a55184e1da0bf6311dd3d31e184d23581b35c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\America
| MD5 | 5ecf891e5790eca39dfc47de2642a290 |
| SHA1 | 3b7c0fd78edb35cbdcbb7fa0e58dd236b6072627 |
| SHA256 | b8b03938c9e19283c45c8b0f3c47719741ba93b5305c5be6f3f16ba96f58e017 |
| SHA512 | d4d960c261657ca817db72a1b8c2ffddee8f87009d46d91d1804b39a12ef9209b0c0a476195c4db1a25c1d865a22960c22eff18dd2f3e924ffb45fecc387114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rogers
| MD5 | d0f3d612fd98c067cbee5c1a9d191fb9 |
| SHA1 | 532cac39990879f4530c44cba0f7f4c6f5737817 |
| SHA256 | 4982dcc44f35e26ac9ab0c9a893e8c095b461e22cb8deb50f9146c8028c2da2d |
| SHA512 | ed6cdae54129de8bc5cdc020fdeb3d87a5259ff8d85ebcf5abee77499ed8f9c8e2dda1dbe679c467d21d6ab8897c230bbe9711878b8d4842fc9ba20d7f861127 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sealed
| MD5 | c979fd8c1c9972e5bf7f4121c363d8d1 |
| SHA1 | 1da51ad6a8b89c164095a82264a4dabaaf2f5693 |
| SHA256 | c0a872d2bb4cb884183f4c31d161005a5704a1ec91ef72bf6ede4f91e9fd3461 |
| SHA512 | defb9b133a59499544110cd99414cc11a669a61b4441057b5b43d94a983212be4e920e30e0d574411889aa75f925b6da987448880a4bdc28a08a5b8b1b88fc73 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bomb
| MD5 | 432c3fb47d74bfaf66fad92ab18ebe2e |
| SHA1 | f91def68a64c7264bbb628bb3462ec852e58bb85 |
| SHA256 | 558a2cd4c4682aa34450b7076aa4ae85a0f258d4b52904d13a0404be4d91897b |
| SHA512 | 7b96c40798466a52325d03364ade9f2fc57553493fea6bcb83ed3dd3b73b6a8646d5870b77ca8d57fc71564a19efe213fe76982856200935ced5c882afd1a816 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gr
| MD5 | ac36046d34acdbb2ca74a24a50cbd51e |
| SHA1 | 302aae6fdf37cd88ce7c59a02ce4f74ce0674900 |
| SHA256 | a1bd4270c698656f4ea48772a127d45d6dc81b23c33ea69b233ebe1b425cab3e |
| SHA512 | d8839258506bd448c76a674ec053a962a4d5f0dddec659f9cd36e2d2af4d50307f7dad7beb8eb56add8dc6048327310e03cee964343ecde3466d14ce72ec9b06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Grocery
| MD5 | 79445655d7e5636383812464b6357fe9 |
| SHA1 | 984c34514f98cc5629c722d05656d1461e5a0a59 |
| SHA256 | 1c7360c90613a8ef95e42017b474457a6a031c9e07c2a70f367f559420c542b0 |
| SHA512 | 78ea9b653d35788a451da91757be7bf48cae2d37274d773b6db04a783d1bbeaa892c79c9664e84d56a6b9f71ef9ab36c75663856ee4c05035ea9e0fb0064c340 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wma
| MD5 | 0c0d45b09678e013f980ddd29471df41 |
| SHA1 | 40e95ece09bbb93211f3c10d5301a990f7fd45a6 |
| SHA256 | 9b49033aa0789d646c2b007960831faafa63e0643db365c90edc1725370ba42d |
| SHA512 | 1d339c47349c161ef1f34aeb06cdc411a667944cbbde0c1d8bed0490b9845f68f0edefdb0b762252d1e9acb4e0adb24ff5e444159f0743b7e828f031bbbd321e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Weeks
| MD5 | fdece249a5d06a1e3e483a1fb90adc11 |
| SHA1 | 4c7b38f058453381cdda55311321fbf5d4512852 |
| SHA256 | 306b5e9a26aed7e1fce882211ddd4f21dd52ad32a3da9faa6f4a6bf9be9830d9 |
| SHA512 | 42cc76f5f01b0ff56f8a4e2fd80c91fb58264a09be29ba8300625b0479e5dc8df5a71ed626d860b48d6e4c06911aac67b2c1fdb0b5c31cb47630dc5f1e9b7879 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Empty
| MD5 | f9db912fb6697a36aaff57fe92c53d7b |
| SHA1 | 50dac97644d0041b29b4da9ef8226294abd391d2 |
| SHA256 | c8a0d30ea5ab2b0dbdfcef9908bf7f1e1e8840f3248c2b8128e3234ce33dac55 |
| SHA512 | ad6fdee6f566de1a57730eccedcf5f838bb67e7fadb06f66fd0583750a9a6593b3fbf1c686a19f9926d0ee7a79f40e7cba3089539c03cd474bd491c3810017bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Environments
| MD5 | 62b77ad8e1c448c98a17899bf03733fb |
| SHA1 | 2d3f165d8e2d99decbb1cfd7f5bfc6b53d8900bf |
| SHA256 | 2f754307b97b0f915751f4668bef0eeb209a091f4a64b3282fbba44215740a77 |
| SHA512 | 39d73bcec98ab7d72af590acc68659d33d0d08e9c231a5f65686365453079c1b66e7200d997dd71ceb16fd0908afa0eee4210d153ca624871e7db75187b75cb1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Identified
| MD5 | 6082167936c48350accec4e5a73345e2 |
| SHA1 | 9ee4d3b6fc70cee284a981b823074b52c9c97c5f |
| SHA256 | f2acd6c3c25755396b97706d999feacc41d649c846eca4c447d8c55808cba84d |
| SHA512 | b60d8c9256d4dfa4b3bc62dde7c4cad08fc0a27bef4c17fa963bc07577d392bb10bbf24fa98048046ef0011933971710aec067fc89b1caf589cfe29d52da5b0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Alarm
| MD5 | a6342ebd229baed52bef276f6d98e45a |
| SHA1 | 22705bc04655919f9f907df9bb35f09eb225fd3c |
| SHA256 | 562a2f26bed375112b6b07de8deabe6cab519dd219426ccbd263215a0e34f308 |
| SHA512 | d3b48ebf1c7636512e42adab344a9384e798076970a9f8fae07b7bb612a88d430c90449253d02066546fa6d334fbb635129dda3a3e35417b126173a4c7427ae0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Measurements
| MD5 | 9ab2dcded3fc4ba015e8ec987e4229d7 |
| SHA1 | 0aaa4773d061ec53a27133e33296a4fa51fc0a0e |
| SHA256 | a119d3ff7398d4d3774e31dbf066bd1211e081848777b21bf9ac3ae5d3186179 |
| SHA512 | d0e9f5bdfb6e4aa0c22ce6510f8ddb59b645d53b8d9c86a2a5ccd4ec3c72338f2a3b4b7bea0970697caf28894539478c6b6be5d2b071c533799b8262bfda8535 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Asked
| MD5 | 6634844e4bc5c860419ee18ef5af3f71 |
| SHA1 | 3641e5c55e09ac3c79cb8569de6b5de4c300fd65 |
| SHA256 | 7fb6bc021397eee905c1bb7d23216b21bcb94bd7795d0bd1006237c56fcf4d2f |
| SHA512 | 0c4a1529ccf46a47c3135901e967e50fbc0fa41b6c4805acd7673c113e1d1e62c8551be7cb7cb8a4487d9b7c7907d9dfe6ee6bfa649fae79f76527046b1953c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Report
| MD5 | 30bdb23ed924fed83d32c9a0e807d258 |
| SHA1 | 19c61b6d940418cd33d35b0cb9799c125c094775 |
| SHA256 | c041ead8e3a73b7172d894acf130330abe3c633b1d611ec0056283d939e52f4f |
| SHA512 | 70f877127dbb3eba87a0f6e273c13b629e5e76f8640df9907bb46aea44896aac98d8cddda94e8b2afb02d76ccb454be3be360f8df9c755eaa43746a133894c9c |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\Suse.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\t
| MD5 | 9353f07f92f74999c1befc17a611b4f8 |
| SHA1 | cef59bfdee8c304b718b48a7ae396f932f1974c3 |
| SHA256 | 6a8181307afaf192a4bb0b20a9707c5be09faa9e82f1ef96682849c45480bd3e |
| SHA512 | 5e715f7d5d29efe8d8d90f3522c2570862636d93cefa21fc16d9589c000a373c9f0364886041c7b034cce882ba18a873fb8c9a3bb9f0104dea4a168f2a4a9af3 |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\824903\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2548-330-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/2548-332-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/2548-333-0x0000000000090000-0x00000000000A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 11:19
Reported
2024-05-30 11:21
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4440 created 3436 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 4440 created 3436 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 4440 created 3436 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\receipt.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\receipt.exe
"C:\Users\Admin\AppData\Local\Temp\receipt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Adrian Adrian.cmd & Adrian.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 824903
C:\Windows\SysWOW64\findstr.exe
findstr /V "RELAXATIONTENNISYOURSSCAN" Seek
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Measurements + Asked + Report 824903\t
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif
824903\Suse.pif 824903\t
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & echo URL="C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | PVgQNHszldiRVxJpoZszvCOlfluc.PVgQNHszldiRVxJpoZszvCOlfluc | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| NL | 91.92.249.142:8989 | tcp | |
| US | 8.8.8.8:53 | 142.249.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adrian
| MD5 | 669bcb845485adbcaed94cee013b506d |
| SHA1 | 6c4e86b2fbd3f1d1a0ae44403a7d8617de533dc6 |
| SHA256 | 879480c9b69cfc918318d9cedcdb5c06038dc1108a9cf6ce9ef63eff89974757 |
| SHA512 | b8719eddda11472f8023b6205b2f225eea1aee861161906b1a6002143b3493c844cab2e315a386d88fac38341860c60be613ded40a073984e4b496942a6dd469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seek
| MD5 | 8aca5459b5f158e0ed914703c45bd5b8 |
| SHA1 | 44a0c6306ef7dcbd45ddc1d3143badcb8db4219d |
| SHA256 | 79187028f716e643081f3c14e5cc25ca6280ef8d87b1913663c64bfca1b46a47 |
| SHA512 | c10a6120f108671ebe38b38580364dd2565088b2cf7d7fbba38f738c7424eabfb1362fa765e21ff713affa30016df97f26af249fa85523e38f7236ffed4cb186 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Planned
| MD5 | 99012f57b2e272c1d30b732d3a9f17fd |
| SHA1 | 0f166ffceed30fe753799bd7fbfa4852848f72c2 |
| SHA256 | 4776ce1bebd9bc4890ba149d1b6a6695c7e9d8ac95b932ffb58f02d5f4d14875 |
| SHA512 | f12b81498a5e71edc47de26706b924e5f0f48e4a1096632c4fbf3a286828ea1c09ab04e6dce164df885bee081d5bdfce18def9d43ea1123b4415b4864e3d8fb8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Me
| MD5 | c58fc578f490d1ad28c01b6080af1259 |
| SHA1 | 114fd98f30a53b122f73ea6466d6cb68fe2f0896 |
| SHA256 | 1ae3afce9c7787b42ae8b543fc5412a99a7ff2540116b59c4c3f8b82c75742fa |
| SHA512 | 6afa9b5ec23cb3936fc2a2fb11ea2d63f61ef08ee777a35844aa5209438c52f00e256f42f201eda31fee055f166be2b27a38ab500d1176c5892652800dcca47f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Activists
| MD5 | 05bf8eaa80ed61c659b29fbbc5210e15 |
| SHA1 | 09d54bfe876025303f5f6195adfd3deb9e009695 |
| SHA256 | bee181608b58e65ae70586ce1fea3f8666adbdf180c7a2090e0d7a76307436d1 |
| SHA512 | 7d528b570d48d6d112d636924ac3f2812332a3884c90113fb787c3958ed351e75ab2bb77203816712199bd7310e8e5b0bb70d0ce8809ab088e8464386ebf114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appearance
| MD5 | a02321b286bb90393ee73f07182af12a |
| SHA1 | c4e4bdfccd9754bea38d42a41be8a36e4efdcfd9 |
| SHA256 | ebe905d945c10ad2aa3d31e6faac37fd119e0000b12111b99fdaf436506a6a6e |
| SHA512 | f6b0c2a5d4b773f4f2769cc31f425ad9d1420187ab757d7bfa131612419efc81a98d2358920a0e4e2de08d16ed3907fc8620895822d4c0a0e4372bdcd21fa025 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accidents
| MD5 | 7c2436e544a3abd424d29343a41366d0 |
| SHA1 | 139e3da90cfca5825161ce8f5af519b1db2c95c0 |
| SHA256 | 01678427aeec32aa7babdeeb5804a48c77eb4b0a8ce75dcaa9dd603a5f27db82 |
| SHA512 | e4725d4ca1b865fc0eb400fa15fdb06a66378c87819447443322a4eb55d1ac8a2715cdadffae10fe28c141fa4bd98aba1ba7a8d53e19ef0ebb9ec775e88ba511 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jamaica
| MD5 | a39644e2ce927c92272cf8107fb3327b |
| SHA1 | 26c8d5eb1539b64398d9b23913a05ec070773f9c |
| SHA256 | 85d4421aee35da360bb53ae599549fddb4b1463d36770db3fdc1ffb89f985fd0 |
| SHA512 | 015ca51a93ab2ffd345302cb0948ae653b780effc08bd86aea2dfd8098a2a48c94c817059b55dd5325ebb8edcf81ac0d052df2b1ac698f9837bc8272f0786449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Numerical
| MD5 | 6c714307641de8c93d261ed9cc77646e |
| SHA1 | 6cba8af80995c69b1952cd36c03b70dbfeb8cae2 |
| SHA256 | cd65eb96896d272cbc5b0983ab6f4e22531234b8d135a74775a6e1cf373b9018 |
| SHA512 | 3fa4f131d511de5bd5f1cddaf888a214e152444045ac1495f2f643aaf6b36d866a81867a53006e6eae6e9670e53b2ab06b84363e1f05dc5efbfed00b014d9a9d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Persistent
| MD5 | 8d2121bb8a9b7ad27e69e1bc957f8979 |
| SHA1 | 3fe2d692d2af03c4d36dfac9f3fde4d00edc1716 |
| SHA256 | aaba07f2e70929d5f4f3912dea2e71495ebca035873037afb9a9a3f678fdc7cf |
| SHA512 | c4fe975c8ee22a53c9131b231612591601035b9401a8f88f05dbdae3edf198d9c119c055df5f4bf44fc1e42ad9a49819a791e412460f776b552a2930bbea84e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Calvin
| MD5 | 4d19078157a311f1346f191caea7e509 |
| SHA1 | 8121ad256d953cd92cf8dfa9534c1b6faf997832 |
| SHA256 | f6f2c4c9ed18d938a44faeea9da23c817f0fc0768c4aab5e4440c68c16f703a0 |
| SHA512 | db30db32616d0603584cf68691af76f814da57ff1ed0e7914df796d688fb262239041d6089b31f27f09d8f306718b54b3a65070999890becb716672c43c10822 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Endorsement
| MD5 | 4a26c986918b78352da428c9880ca685 |
| SHA1 | cb2f1211d2f87f3b9494d0a83f574b1e58835184 |
| SHA256 | b327e7db0d1ac5cad2b1935a1708bab247664fb009fd923a1153933d24a920bf |
| SHA512 | be84ac35b5d32899fc2a5420df08ffb45eefe510e64f08a7ec9efc5443c18496a679bf4b277754ffb43915e5681bd9c2a628c10b41f94504aa9ed2988225012d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lesbian
| MD5 | 619654a36360c018f16e384fd1e6b387 |
| SHA1 | b232c087e34fda965d6f88bde7a35664d796f1c3 |
| SHA256 | fa44132bde285d5768d4d952c358b40469304aeb3b66ee8cdb4a54fb575d40c7 |
| SHA512 | dca163feea318903e535d899300df1d7e9ff6c1639c166c0d4ba8060735f081ee931e613b218cb9aa71f198ad9d9569c6dcf667265b904519cae8b8bbf5b71e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spring
| MD5 | 72f0225d667c4395eab1c35726d56f36 |
| SHA1 | c57f5a6d4953b7b7c8fd9fe1c1217b880ca4d9e0 |
| SHA256 | 7b69034a324e195ef42af77762c22b5894b9b36787942fa2cb42390c7d30673a |
| SHA512 | fc7bb12e8984d9fc7ccba5c3ad3b7f2d84ab00a561c0a884d2bde15b8b990bf5682615f49ed0b8ac609a6b5c7e2ac06fc363b852b49c9ba64759ba7b6204ac6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fr
| MD5 | fe66f07a1dc3527572e662308b33f2d1 |
| SHA1 | 8eaef41529ddfc9ad45df088b40265d75a590546 |
| SHA256 | e68d5a6047ce198cc348da288cea64dfa8d3cdc534bdb095b123b1c796fbceff |
| SHA512 | 2f6c8e2c1ece9d69f8b7707ee4a0ff9cef3fba652c4ab22172f756563ff2d016326c7e62629d4af11920c7251de4ea78f0b26530340bfca18b1288df5ec2cb0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Education
| MD5 | e0e36a8fab76f17638d4c66d7bf47387 |
| SHA1 | 41cb341f8d74bdf6ab2fcb6c5de2ef0fe4f2a209 |
| SHA256 | 9327b77e25664dcb9bc61d4af63acc998c528947d4628bdb59c8c3121f6c74af |
| SHA512 | 982105d230869a83cc7b002ce928720967417206bb0d748ca860dfa4c167554dc271756e1f5ca773490643a1d4c77383f287135202c40b1d37f4b2bf16998fca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Information
| MD5 | 2113d64d2825d8f335cb97226dedcf21 |
| SHA1 | 717127436c7d315618099ef3788b4f8a2efb04f9 |
| SHA256 | 3c83b5d248f30faf27709bf466d8410319d42f31dd02767c2a6cf35488e87578 |
| SHA512 | 9170c1150a348badbdab5aa177f2963bae784e55a22fe273cf9934ae82581c43b80230e4535dc2fa21e7b421712790bf4326aa68c166ed1ade802d0ff7a3ec7d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heart
| MD5 | ef90eff38af57e222a94fe9445264f79 |
| SHA1 | 15022846a434e73984808b3d844beda2bd794e43 |
| SHA256 | bf042e2854f6545cb3a1bf5a18e010ed72428a1d120655d5452264eff6c7c5f2 |
| SHA512 | ce96d72a17ec59dbf51dc1a30d492e45bfd09595c2938b7879308f727792d538fd92f345a2e23a14c3aad5a3f14a55184e1da0bf6311dd3d31e184d23581b35c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\America
| MD5 | 5ecf891e5790eca39dfc47de2642a290 |
| SHA1 | 3b7c0fd78edb35cbdcbb7fa0e58dd236b6072627 |
| SHA256 | b8b03938c9e19283c45c8b0f3c47719741ba93b5305c5be6f3f16ba96f58e017 |
| SHA512 | d4d960c261657ca817db72a1b8c2ffddee8f87009d46d91d1804b39a12ef9209b0c0a476195c4db1a25c1d865a22960c22eff18dd2f3e924ffb45fecc387114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rogers
| MD5 | d0f3d612fd98c067cbee5c1a9d191fb9 |
| SHA1 | 532cac39990879f4530c44cba0f7f4c6f5737817 |
| SHA256 | 4982dcc44f35e26ac9ab0c9a893e8c095b461e22cb8deb50f9146c8028c2da2d |
| SHA512 | ed6cdae54129de8bc5cdc020fdeb3d87a5259ff8d85ebcf5abee77499ed8f9c8e2dda1dbe679c467d21d6ab8897c230bbe9711878b8d4842fc9ba20d7f861127 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sealed
| MD5 | c979fd8c1c9972e5bf7f4121c363d8d1 |
| SHA1 | 1da51ad6a8b89c164095a82264a4dabaaf2f5693 |
| SHA256 | c0a872d2bb4cb884183f4c31d161005a5704a1ec91ef72bf6ede4f91e9fd3461 |
| SHA512 | defb9b133a59499544110cd99414cc11a669a61b4441057b5b43d94a983212be4e920e30e0d574411889aa75f925b6da987448880a4bdc28a08a5b8b1b88fc73 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bomb
| MD5 | 432c3fb47d74bfaf66fad92ab18ebe2e |
| SHA1 | f91def68a64c7264bbb628bb3462ec852e58bb85 |
| SHA256 | 558a2cd4c4682aa34450b7076aa4ae85a0f258d4b52904d13a0404be4d91897b |
| SHA512 | 7b96c40798466a52325d03364ade9f2fc57553493fea6bcb83ed3dd3b73b6a8646d5870b77ca8d57fc71564a19efe213fe76982856200935ced5c882afd1a816 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wma
| MD5 | 0c0d45b09678e013f980ddd29471df41 |
| SHA1 | 40e95ece09bbb93211f3c10d5301a990f7fd45a6 |
| SHA256 | 9b49033aa0789d646c2b007960831faafa63e0643db365c90edc1725370ba42d |
| SHA512 | 1d339c47349c161ef1f34aeb06cdc411a667944cbbde0c1d8bed0490b9845f68f0edefdb0b762252d1e9acb4e0adb24ff5e444159f0743b7e828f031bbbd321e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weeks
| MD5 | fdece249a5d06a1e3e483a1fb90adc11 |
| SHA1 | 4c7b38f058453381cdda55311321fbf5d4512852 |
| SHA256 | 306b5e9a26aed7e1fce882211ddd4f21dd52ad32a3da9faa6f4a6bf9be9830d9 |
| SHA512 | 42cc76f5f01b0ff56f8a4e2fd80c91fb58264a09be29ba8300625b0479e5dc8df5a71ed626d860b48d6e4c06911aac67b2c1fdb0b5c31cb47630dc5f1e9b7879 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alarm
| MD5 | a6342ebd229baed52bef276f6d98e45a |
| SHA1 | 22705bc04655919f9f907df9bb35f09eb225fd3c |
| SHA256 | 562a2f26bed375112b6b07de8deabe6cab519dd219426ccbd263215a0e34f308 |
| SHA512 | d3b48ebf1c7636512e42adab344a9384e798076970a9f8fae07b7bb612a88d430c90449253d02066546fa6d334fbb635129dda3a3e35417b126173a4c7427ae0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Identified
| MD5 | 6082167936c48350accec4e5a73345e2 |
| SHA1 | 9ee4d3b6fc70cee284a981b823074b52c9c97c5f |
| SHA256 | f2acd6c3c25755396b97706d999feacc41d649c846eca4c447d8c55808cba84d |
| SHA512 | b60d8c9256d4dfa4b3bc62dde7c4cad08fc0a27bef4c17fa963bc07577d392bb10bbf24fa98048046ef0011933971710aec067fc89b1caf589cfe29d52da5b0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Environments
| MD5 | 62b77ad8e1c448c98a17899bf03733fb |
| SHA1 | 2d3f165d8e2d99decbb1cfd7f5bfc6b53d8900bf |
| SHA256 | 2f754307b97b0f915751f4668bef0eeb209a091f4a64b3282fbba44215740a77 |
| SHA512 | 39d73bcec98ab7d72af590acc68659d33d0d08e9c231a5f65686365453079c1b66e7200d997dd71ceb16fd0908afa0eee4210d153ca624871e7db75187b75cb1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Empty
| MD5 | f9db912fb6697a36aaff57fe92c53d7b |
| SHA1 | 50dac97644d0041b29b4da9ef8226294abd391d2 |
| SHA256 | c8a0d30ea5ab2b0dbdfcef9908bf7f1e1e8840f3248c2b8128e3234ce33dac55 |
| SHA512 | ad6fdee6f566de1a57730eccedcf5f838bb67e7fadb06f66fd0583750a9a6593b3fbf1c686a19f9926d0ee7a79f40e7cba3089539c03cd474bd491c3810017bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gr
| MD5 | ac36046d34acdbb2ca74a24a50cbd51e |
| SHA1 | 302aae6fdf37cd88ce7c59a02ce4f74ce0674900 |
| SHA256 | a1bd4270c698656f4ea48772a127d45d6dc81b23c33ea69b233ebe1b425cab3e |
| SHA512 | d8839258506bd448c76a674ec053a962a4d5f0dddec659f9cd36e2d2af4d50307f7dad7beb8eb56add8dc6048327310e03cee964343ecde3466d14ce72ec9b06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grocery
| MD5 | 79445655d7e5636383812464b6357fe9 |
| SHA1 | 984c34514f98cc5629c722d05656d1461e5a0a59 |
| SHA256 | 1c7360c90613a8ef95e42017b474457a6a031c9e07c2a70f367f559420c542b0 |
| SHA512 | 78ea9b653d35788a451da91757be7bf48cae2d37274d773b6db04a783d1bbeaa892c79c9664e84d56a6b9f71ef9ab36c75663856ee4c05035ea9e0fb0064c340 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Measurements
| MD5 | 9ab2dcded3fc4ba015e8ec987e4229d7 |
| SHA1 | 0aaa4773d061ec53a27133e33296a4fa51fc0a0e |
| SHA256 | a119d3ff7398d4d3774e31dbf066bd1211e081848777b21bf9ac3ae5d3186179 |
| SHA512 | d0e9f5bdfb6e4aa0c22ce6510f8ddb59b645d53b8d9c86a2a5ccd4ec3c72338f2a3b4b7bea0970697caf28894539478c6b6be5d2b071c533799b8262bfda8535 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Asked
| MD5 | 6634844e4bc5c860419ee18ef5af3f71 |
| SHA1 | 3641e5c55e09ac3c79cb8569de6b5de4c300fd65 |
| SHA256 | 7fb6bc021397eee905c1bb7d23216b21bcb94bd7795d0bd1006237c56fcf4d2f |
| SHA512 | 0c4a1529ccf46a47c3135901e967e50fbc0fa41b6c4805acd7673c113e1d1e62c8551be7cb7cb8a4487d9b7c7907d9dfe6ee6bfa649fae79f76527046b1953c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Report
| MD5 | 30bdb23ed924fed83d32c9a0e807d258 |
| SHA1 | 19c61b6d940418cd33d35b0cb9799c125c094775 |
| SHA256 | c041ead8e3a73b7172d894acf130330abe3c633b1d611ec0056283d939e52f4f |
| SHA512 | 70f877127dbb3eba87a0f6e273c13b629e5e76f8640df9907bb46aea44896aac98d8cddda94e8b2afb02d76ccb454be3be360f8df9c755eaa43746a133894c9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\t
| MD5 | 9353f07f92f74999c1befc17a611b4f8 |
| SHA1 | cef59bfdee8c304b718b48a7ae396f932f1974c3 |
| SHA256 | 6a8181307afaf192a4bb0b20a9707c5be09faa9e82f1ef96682849c45480bd3e |
| SHA512 | 5e715f7d5d29efe8d8d90f3522c2570862636d93cefa21fc16d9589c000a373c9f0364886041c7b034cce882ba18a873fb8c9a3bb9f0104dea4a168f2a4a9af3 |
memory/2600-326-0x0000000000BB0000-0x0000000000BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2600-329-0x0000000005080000-0x000000000511C000-memory.dmp
memory/2600-330-0x0000000006300000-0x00000000068A4000-memory.dmp
memory/2600-331-0x0000000005F30000-0x0000000005FC2000-memory.dmp
memory/2600-332-0x0000000005F10000-0x0000000005F1A000-memory.dmp
memory/2600-333-0x0000000006140000-0x00000000061A6000-memory.dmp