Malware Analysis Report

2024-11-16 13:38

Sample ID 240530-r8l56scb6z
Target chrome.exe
SHA256 21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798

Threat Level: Known bad

The file chrome.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 14:51

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 14:51

Reported

2024-05-30 15:02

Platform

win10-20240404-en

Max time kernel

597s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A
N/A N/A C:\Users\Admin\chrome N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome" C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\chrome.exe

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\Users\Admin\chrome"

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

C:\Users\Admin\chrome

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
DE 18.192.31.165:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.158.249.75:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:16292 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 94.209.125.3.in-addr.arpa udp

Files

memory/3780-0-0x0000000000340000-0x0000000000374000-memory.dmp

memory/3780-1-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

memory/3780-2-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

memory/192-7-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

memory/192-8-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

memory/192-9-0x00000291EA180000-0x00000291EA1A2000-memory.dmp

memory/192-12-0x00000291EA340000-0x00000291EA3B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq1lgmhj.4se.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/192-51-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62c8561f755430780a652d626c597227
SHA1 c30910319267f5bd2942d20334f29f8117788a2f
SHA256 e2ef29f0c46e5e534cf2e39c70f9be50ba0fc248b009015c1d768a7892c6b75b
SHA512 12e52c18417f2b77db9d34f9b043cc962c3806ecf7ddd2f915280d173a0803e6a880cf5f6243bbd65cbe377a52d335f704d0b0cb38f48d2defe6752aaf72d3b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68a1eec0cc923c6e7d7b83422ffc08b4
SHA1 4091f5622f97103d0501f220452699cdf329cb35
SHA256 26e337536d5aaa4683bb85e317778d02954eb076a4898f8e8a1a38c0c70c423a
SHA512 42e55d34ad8e0a65e5f00ce26c9b0e6c914278c8d03cece7ddbb2fef0ee0a7c229547acd7ca9ed6e54df545c8f28b6b982c28b9b45eb0aff723bcd440ba91980

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ab0d79b6ea2fb17b006c4c2c5c05084
SHA1 238d7803bf6d67dfd6cb45d4c3f4a20a804f230a
SHA256 7ebbda07e65800a519800abfbbcafa1af50cff28db3674b0b2ae9361674fc156
SHA512 4ffb6af87dbb9c102c062c95e843c25c97bf8f8d616863347d3d58f6eb7cfabe4aa2d848c3dfb421558aaeb0ea069820fe5f480f97e4576bcceb4324c830eb6b

memory/3780-187-0x00007FF8AEEC0000-0x00007FF8AF09B000-memory.dmp

C:\Users\Admin\chrome

MD5 2b26b084c03ef96db3cda61ec42b9780
SHA1 d285abb4911dbb747b8cc0fb61d90c424905d71f
SHA256 21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798
SHA512 9fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc