Analysis Overview
SHA256
234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff
Threat Level: Known bad
The file Nursultan client.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 12:21
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 12:21
Reported
2024-05-30 12:26
Platform
win10v2004-20240508-en
Max time kernel
172s
Max time network
273s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime Broker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" | C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615454195715151" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan client.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffd4b5dab58,0x7ffd4b5dab68,0x7ffd4b5dab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4152 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2440 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD2B7.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brands-omissions.gl.at.ply.gg | udp |
| US | 147.185.221.20:3488 | brands-omissions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:3488 | brands-omissions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 147.185.221.20:3488 | brands-omissions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.200.35:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn2.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.180.14:443 | encrypted-tbn2.gstatic.com | tcp |
| GB | 142.250.180.14:443 | encrypted-tbn2.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | udp |
| GB | 142.250.180.14:443 | encrypted-tbn2.gstatic.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.porno.com | udp |
| NL | 141.0.173.133:443 | www.porno.com | tcp |
| US | 8.8.8.8:53 | 133.173.0.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| GB | 64.210.156.23:443 | ei.phncdn.com | tcp |
| US | 8.8.8.8:53 | 23.156.210.64.in-addr.arpa | udp |
Files
memory/2208-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp
memory/2208-1-0x00000000002B0000-0x00000000002C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avgwcoex.f3t.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4652-11-0x0000023930270000-0x0000023930292000-memory.dmp
memory/4652-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/4652-13-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/4652-14-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/4652-15-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
memory/4652-18-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0b72469ca0585278ca9c240a42085ad7 |
| SHA1 | dd0371aab5740e6d5f44d75f02f5f2d0a16089b2 |
| SHA256 | 9e9693e3e021a1a0aeac855d0c2fd330568225282ed4e2d8ea1d876457efa0db |
| SHA512 | 77929ab5f47ec18e78e9e57f0cb9a41dd02e8974b59f692175fefdd69a6e84c6c289a8e4cb563fb064857f2c3cf6ce330e8efa7dcb352691fdbd662c90c3b577 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd1d0b083fedf44b482a028fb70b96e8 |
| SHA1 | dc9c027937c9f6d52268a1504cbae42a39c8d36a |
| SHA256 | cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c |
| SHA512 | 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973 |
memory/2208-57-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
| MD5 | fe07501d3d052f3240fa2d9da7c2c82e |
| SHA1 | 5de5b5464823f238a307f275e5b3f76538ed3405 |
| SHA256 | 234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff |
| SHA512 | d4002ae6fc0fd8bb9476b2689657797f18cc350062da3c66f56d6049cad5dd34949e2d03e6ba180b2dc131792f310f0ac3ab77b8cae479a1f5106a002457d129 |
memory/2208-61-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp
memory/2208-62-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 583c5525813d9d9f74b76ed066fa1d61 |
| SHA1 | f65c48fa13aa2400666c4f6dda7f1592438302e2 |
| SHA256 | d452e9cbb5d2716f4bfdee3a071ffb9b7ffabb20237b856437497e05ef962598 |
| SHA512 | 7e8a0e9e4492696b8f0e76d1c9104f24045842bc1b76bf0356bfc9491ebc7138d22c8dc97bdb09ea42f010c4ee62b6589d7ca75be2bef74217aae02061c1aacb |
\??\pipe\crashpad_3004_AFFVXLIKOXMQZBXB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | af5a0aa28acfceacc42589429c09f04b |
| SHA1 | 52cc349934dc92444798f553ea5aa1b185319bd9 |
| SHA256 | b57a1a96c5a7aaf34bfb61b541b2eee609c3df1ef318aa16c490023fc4cd0101 |
| SHA512 | ae6875cd731a639e1db96ef56d5478d4cb2c1f84161dc5b36ca22f86563cd2b1414945432468834c408bd98bd02464b76778fc9bc8fb1cd1af0cfdf1169e0229 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2179b4455d8690a31d9a3d1c2cae92e0 |
| SHA1 | 0537be8009573b0875183d96283a62da32022829 |
| SHA256 | 7134d48811891691aedda853f7ec2e43703ec41799d3df5ef4e4d0a076314ec4 |
| SHA512 | 3f447dc03320145745490190e7af48d04c31790095a6bcaf71bf3d59609bacbb460804ab1479715decfb64470e7da808e9f3f5b2c78373b0ec38948b59c7d8de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f25d23383e8abcf3380529a73725efa9 |
| SHA1 | a8af71b5fadfc3c372c025b11b944a5e2e625ae3 |
| SHA256 | bdf134242d5c99b2fca284bb945eab3e79759206a2e815cc59887edd90353c80 |
| SHA512 | 05bd47ffe9a49b2c6cb2ddd428fe26dc6e24f447be8eab50eb9e1c9217f6204da79867aaefd620ba74ff8f5ad3e20d686d80107c625e43da80f63b055937419e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | d3735f4ca81b46a66bbc88a56854949c |
| SHA1 | ecb1255028815ccae482eea562a7f136013c9553 |
| SHA256 | aa2c6d785a60ad23da8ac9e23ae4862859ff1583ee97d43cde7328825cfe3e65 |
| SHA512 | 65502d2675a223e3278e5d20a7faeecaad47cd4e090196624423a06097ca3cfa1cab1c8bd31dcc8e44348813575a3d97f4f422d58d02e3e623985429e288b5c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4e2882c2075639b2ed6814503754606d |
| SHA1 | 0a44179359bbc8890a892ff6e9f701d3082b5d66 |
| SHA256 | 70b4ae9025ff150ff7503ef8345b20abf97c2a7c2fcacec101ac44a61232dfc0 |
| SHA512 | 015de2ee70733fd8c3c3767d53e3acf49badda262783da2e89760a038069323c5e3df6322def0b6e2a6976c0e97be8b3de5d5fa16e4f52828ad31efb5ea219c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2baacff9c1e483ce541601cf28d4ca4a |
| SHA1 | 57d1de8e259066c76f11d619de22d52a135bd742 |
| SHA256 | 44c4b6788438264c0bca8994fa0a058eb03ed0d6fb9ddcbe0281838784ede037 |
| SHA512 | 37fcb003aa581c82204d5cb59ec89772b36b91ca6bbe83d72fba2c36ebde4a425481bbd31c2c8f4551013ce053eb15cd85f2105ce5954ea9a75ac701fec83562 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5980de.TMP
| MD5 | 93708ebdb4f047e921a2d2c0cac25f09 |
| SHA1 | ca3c73dc54cb5caa70a4eb52abd68d31d2f56320 |
| SHA256 | de055871c93692dbfb5ab83854148eb0594711e6550d03d63144e49b38002ec8 |
| SHA512 | 5d25174a2331f6916b8d19d999d14a516bd499d35b14bb6f34aba062cad1026d4fa04325ae126c7d0c95e8594a57f1862934ddac70c8e92262882458d26b39e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 44dbf3a7f855833cdd60bea73ca33e94 |
| SHA1 | 9b4cc050716ba0933cf5fbc82b0d72f18ac71067 |
| SHA256 | 9591018f5272f79a21b6d8d0cc8738e8b5bebbc6173ea02ecabc979cb33219ff |
| SHA512 | e21360e75bb8388efafe17baf65e8255cdd05b5d422f8e8f63c83352c3a0745ab38992465099227287bcf7add7de0eeaaab145307f2f572fcb15194f7e08faaf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | cbb19afbf6bbf054175b1fc621bb5789 |
| SHA1 | 37388b39e22d42fa9419d79cd910f0edcc310ffd |
| SHA256 | d39517e01eddb226f6be41a2be1bba432b78762154e784264c00a636caa912b4 |
| SHA512 | 1c5ced4d2fce942d59a73c3032999e26ca1365892512118158269624894862389d34e016612de51d91b8880964ef4539df682ec9455f40d7c6481e42122f1fbe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d09835d4d66add17832fe8fc1277a005 |
| SHA1 | 31bba0582024c260ccd2b65b79ec53413f813277 |
| SHA256 | 63b942b7c0da87f0761e1cd716394586a12e23140c0c53a7a7a212177837f228 |
| SHA512 | de170a2594e751a52b13e63b0e4a466af3a61a0e24509c13b8ae303816a1af351dc8d4d56f87a07bfd2c0d3d556cff220c103e324329674bd8c8d2dcd59916fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 40b616af43491d68a083c91f121a33e3 |
| SHA1 | d9f4e84c744b8fbc0889926264e9559ead79accc |
| SHA256 | e9682bdc629a665e774668e5c0062fbef5c777c53006fa3485df7c6ac1ea98eb |
| SHA512 | 8ceec5ce9025901856642940f520645c6111dfd00dfcbcb150929915eae2a425f65ae3aa9751290ad267b47ca1ee80f6e128a22e4fa8be56d62457ef58e3f680 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1b940a0efe6dae503facc2caa7298ee7 |
| SHA1 | f9337e09ba32c5f57ff013a7d223076d9ca6b8d4 |
| SHA256 | 627b01a98e7f2cdf440f0738131482cd7c2f4aabd6e0d42570d914103b668f03 |
| SHA512 | e4052a21abc499f124fa5dfcfa31456fa0713351944e29948721760e9e626979319849d8ceb97d460c899f81d5933912a33e91f34fb178db0155e10434595a95 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 03cb5ba84e849e1dc4e3c7b90b0c2696 |
| SHA1 | 087ce3ceea2eac4e21451bf5ddbb2496d20bcecd |
| SHA256 | db6ef7fcc0b68ab9bacec88da4a581c5a34491fb8df6edeae1c2163fcdfb68fe |
| SHA512 | a8743088c1c6bf144cd8bc798c2d0cc31f5ab034928744e20ec95ccebf9dd30d0a29a2743400589ed47191b4c9bdf598163cf8b1a7a52b9b37922b185136243c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f08fc6b93a999076ea8bf83028e84d1b |
| SHA1 | a568f191d2382cf31308004618e42715575d6346 |
| SHA256 | d6aa72fafb258b5911ab21ff296d0d7bfc95d76d1243b9a6c3193b9676e64eee |
| SHA512 | cf2ae01966a4160ab48363baac5cbae3cec3f765e7e1072990e8ea14e1cae62c1baaa39d798f88368fa1e1d9a9b94858bfec061dc5c9e5192b104076d5d4ffca |
memory/2208-419-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD2B7.tmp.bat
| MD5 | 595524ce09d8b66ac31139fda7fdd631 |
| SHA1 | 80c5a6f38a24a7c1178021a0db2f65466a0758da |
| SHA256 | be2ecc6ac955e454f0af20970adbc59d279435d0171a7dc50cb36c77ef6c4cb1 |
| SHA512 | 5c1f0a2a9fd76fe849033ac054bb8bebf0b37f41e53255e21d4668d335f3e48100e4bd302ce2a393546f19c1510f90a53d8b676960df327af64ab34784dd92bc |