Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-zed7gazhqn
Target asdasdad.exe
SHA256 ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa

Threat Level: Known bad

The file asdasdad.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:37

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:37

Reported

2024-06-20 20:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b9c2d883d300b8438f464723a166174200000000020000000000106600000001000020000000cf96c7ed55c06bcbb487f7c7c06cd319d2070518a4e63551ae6c7b3ad9a72480000000000e80000000020000200000009660092b75ddcc3e52b2fb5c1b959d8e798679895633f52c95fb2456ff9091ea2000000023b5cfe33789142f715384a5f0178866c8ff5baeeb3f3cf5deebc25a5927d11540000000fd58db3de3dad3818be07bf73290c042ed3973b29fbf5461f30e27a57239c76b2869eeb23a83579151696d387b4567554dd236a806c518459381fd82dc13121e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11970EC1-2F45-11EF-92E0-EA483E0BCDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1078f6df51c3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b9c2d883d300b8438f464723a1661742000000000200000000001066000000010000200000003502b6779fea0a2c4e8a7d721646a931f205d8f0408ba76829a6b7464d62d195000000000e8000000002000020000000a806dac786cd709f786a68ee210566646914e4d3ae8beb85dee0610a449058569000000005dfd33c7eac20e9836c9ed09fc722588e0a7ff8331768d33c31c141d8eb373667cb367e5aa025c7cfcf0a2134588bc48635a412e1c122bd48386bd10535f50290a60e542b44d9e20fbcd7a0992c2f9dc672bd264e7b97886258b130ea89058e25db5d811b070b75b7287cca4d6c8516b36eb25334a31e9f7c52b34fbe928a1b742eaaa4321c5e9ff836bb3f5cb3a19f400000009864a0777b0cf02b5eb68b2c29122da8bb46f9a8a1c1cf0ab2e34ffa4d531fb301b573d1d43f912cfe194dc06f4de63f9522d80abcc6b0f9fc59eb2c2be8bbfe C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425077785" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\cscript.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1000 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1000 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1000 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 1000 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 1000 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 1000 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MEMZ.exe
PID 1332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1164 wrote to memory of 576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1164 wrote to memory of 1616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1928 wrote to memory of 356 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 356 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 356 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ixsjxa.bat" "

C:\Windows\system32\cscript.exe

cscript x.js

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+2+buy+weed

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:472083 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1fa9758,0x7fef1fa9768,0x7fef1fa9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2716 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1127441 /prefetch:2

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1324053 /prefetch:2

C:\Windows\SysWOW64\calc.exe

"C:\Windows\System32\calc.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1127457 /prefetch:2

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp

Files

memory/2248-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

memory/2248-1-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

memory/2248-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2648-7-0x0000000002E00000-0x0000000002E80000-memory.dmp

memory/2648-8-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2648-9-0x00000000027E0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a38917833783c3a23193dddbda2a6a61
SHA1 0ad68fb69d9d1bcf270070ac99809dcdd797b263
SHA256 f972fc252bdebae3cd20cd3064c1d900e43132ebba825447d49a97de90ca7092
SHA512 55abdaee60bc7d6c2171e1019def57ecc6b59688f4fa38ce6a79a1a0a2c65fb9ee49b91051e37054172ac7042b8e068644b4c9794baf2fbd906a6c5e785714ab

memory/2520-15-0x000000001B530000-0x000000001B812000-memory.dmp

memory/2520-16-0x0000000002690000-0x0000000002698000-memory.dmp

memory/2248-26-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

memory/2248-27-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ixsjxa.bat

MD5 bbae81b88416d8fba76dd3145a831d19
SHA1 42fa0e1b90ad49f66d4ab96c8cca02f81248da8b
SHA256 5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c
SHA512 f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368

C:\Users\Admin\AppData\Local\Temp\x

MD5 20e335859ff991575cf1ddf538e5817c
SHA1 1e81b804d67d6c0e22c0cef7e1cb9f86ce0ef5ee
SHA256 88339750431112ed60cdf9bdb7697434ba9b38e2d15ad604c4462705bc1bdfcf
SHA512 012251b342722cf35ebec2c7d071db505a992d81fc4b3492cd87640b5c955dc084825fc5e72edc821f4c481867183f21d26cd904fe7f0373d1156332f87b031d

C:\Users\Admin\AppData\Local\Temp\x.js

MD5 8eec8704d2a7bc80b95b7460c06f4854
SHA1 1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256 aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512 e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

C:\Users\Admin\AppData\Local\Temp\x

MD5 5ce1a2162bf5e16485f5e263b3cc5cf5
SHA1 e9ec3e06bef08fcf29be35c6a4b2217a8328133c
SHA256 0557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43
SHA512 ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1

C:\Users\Admin\AppData\Local\Temp\z.zip

MD5 d2ea024b943caa1361833885b832d20b
SHA1 1e17c27a3260862645bdaff5cf82c44172d4df9a
SHA256 39df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76
SHA512 7b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb

C:\Users\Admin\AppData\Roaming\MEMZ.exe

MD5 9c642c5b111ee85a6bccffc7af896a51
SHA1 eca8571b994fd40e2018f48c214fab6472a98bab
SHA256 4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
SHA512 23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

MD5 fd9c682e7b16003d7a9853ac3ead2572
SHA1 7de5c5830611f89b68ff9968a16dbf8d74e27791
SHA256 5c05692b92e04c0f511afeacb7296fb1f3d7f93bfa2ad68718bde3e87db5e81f
SHA512 1aa594b71d3061df92b6a563b29a8060676ee2c62d7d7cf938b6df1f7a235f85de046992539c09c091dce99e49aa54efeb5c9e57cd7adcff25b35c22d2dd6799

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\recaptcha__en[1].js

MD5 1bb4ebd5a1126f7287c58e242a7188e2
SHA1 f06c98f9b76c942631ca4ced196b6ccff5aae339
SHA256 4b20abde9f7eb27dc344dbbb35f59aba01e4cc70262c07c260beadef9072f25e
SHA512 b51fe40ab04c98c21b1f233cb335f5d1ce2f496a2b07544025e5a89c171413ed1755bd5d9900ea43f0495fce190d4607b6d53c3d8078ebfaaecefa97471c8abe

C:\Users\Admin\AppData\Local\Temp\TarDB35.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabDB34.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5d2b9e5b47829ffe420cdce3cc807f8
SHA1 52699b9c39f0b969bd144e33bc5b3a076ffd3533
SHA256 42bfd3c1f3b221db7e9ce2183d15fb8b522555495626368c60200d4f3fb1806a
SHA512 62e15152fdcbc22d0285a9d6737388bec57f89bf9cd05c7064d4cde9c4c14d7b937e0b0999b7a27f7d75d9d841d1860d31a06dffb70c95348117fecca843facd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDCA3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05bd4a716ac1b1297f849c6406417f7a
SHA1 e7c7748990469e5f3cabb297f875b620ef648031
SHA256 f8c2d4653401db010842ec4396552eb5c713d343bbc3faf811d808dfdc21ba03
SHA512 5daf570ca0841c0af2134aa6b332e04e0643d1366e22352075ef90b24942a795eb691e7b9a2b44acdd151a314e32ba55c8ce3f9af65585de404c85367bd3fdfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fcc3279917d7c187a0c14731c55e90f
SHA1 0db0bc3a4d54eee947fc4e8a80ebf7ddd7441de9
SHA256 9c7b8fb7f1795efce013b3c2ec9adf07cce7130a9f743e31a5bec6e5fb92a8b2
SHA512 558dc8e05256220e2e430527863b26ca81ac0cfcc405a02d88ffcc70d313d42115fe1b0ea2f4344a3b58424d0991ac52afbe93b9a8f02cda070214cbb7c29227

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\styles__ltr[1].css

MD5 4adccf70587477c74e2fcd636e4ec895
SHA1 af63034901c98e2d93faa7737f9c8f52e302d88b
SHA256 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512 d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf140a94f5a094395129001ebe7c0999
SHA1 5a16f65ca1084807d446275af6557767c930b382
SHA256 d038b7d5a4082a8cede97726491ad79462f66eba2a14252e3af1a36ba81eca0a
SHA512 efee74fc967217498e5372be145426fb438c790d18bfffbba57eba4261153763c4266234773032935758d05e947a42d3871975787b7239023d9e491ea2c37953

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fb19974fd768af3515e1dce80ebe13a
SHA1 c6542f4b8d9a7254cf85f987cfd01ccb51b543b2
SHA256 37b67bfcffc59d94f54ff67f931e876d41a34e22fe9882c034084534a534aad7
SHA512 afb8a8ebe44784c9c61fe8a6da20b601973ee503742625450aeccd9eb55d05d5e0a4b52f08609511d2596bb7b9ea9b0d03ffefdf2a966f3cbf5c4184387bd33b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0bb85542b3e694013e6a23e3f15e017
SHA1 d94276aaa87e9b2d9030680acb4cf2f6e42f7b0e
SHA256 11a9c2a17277f31dceee29ba41eaab3f54ba3e11f8e903d659e2701d0e77b566
SHA512 63a3d747b45de72d983150049053a291d3fe55ce0e80d5d39602ee8f982da6cc3c10d13f7c25f85216019f23bc24d44d1d2a2f494e2bb38d4b74bec68bbf33ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d05285051c17e2b7df544d4b566ac495
SHA1 aedd3627c4544e023bbacb504831e4455e5b8fb1
SHA256 cd313ddc3227f2a707beba8cc9428d207d855bba7a75a5a7f467e05a258b9330
SHA512 0a106815c17bd09a7ab303a0965bde93d245ee0af4b925dc1cc7cffeb5f8e52a404dc215e2bb5ff602b9895fe0dc6264aaab9882802f00fa5e96db88d1490209

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b18b5acab463b8e8cdd8820eb6fe5793
SHA1 d55f7b88c830a2a76d975e2f62a4f35bab9c3f24
SHA256 c517336164aa37b064275aafd97d6c9243c4090b66a8f359b7d7a6c2fb8785af
SHA512 1ece0c0f508a906697fb37eed0ef954a7cdfc22dc9db481b9a1925bd04fd4b1cc8ea7784658580170c68feb52bacf1732bf5860b509687f475edc6ea603d743f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 892fe6ce316872ddbd174734d7f44c3e
SHA1 0ad6016deba3f809c38912c3f018d4cef59bfe3c
SHA256 c168fa40aba6fcc82e98075be0e5def3232ce202d9b81cf6b973ac9c09004eb5
SHA512 f7a400eba953b54f5e8e53832d3101ec5a48ab447707deb58b7cab261e57aa51c60bb43a942575412c962ca8f93a2ea3969eaaf9896b9d7495a9ebced9417514

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a499d7a0dd0e094cc3afbef4a0824ceb
SHA1 57e118484bcbb76a45b8992a296d091d8635698e
SHA256 93c9b5d1c7378ffa37681e6304d3726aa89661f5d5cbd5a765f93012844c96a4
SHA512 2766dc382153334c5582925928c5d662284ad52b2606f9d49c05904a7708167805bf2481f897d9098ab3b5a1132ee9cdc3835b52f3babce90d95d1be89a6deca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9AIQ0IY.txt

MD5 aef47c1095f8fb815acf148654ce7139
SHA1 5f9d819268bb9f6d4902ab82a7dca1752bcffa7b
SHA256 82f1f8f3829294f3fbc35bb8886df607141044758c78267b06da3121d24ad1bf
SHA512 12a7b0040f48b9dc56ff526b2a0f433703e413fd646e9ca798696aee19af4b560b38dc5beb2c7b8fda22cbb46832b93b9a2fddc03c866eb983220220084f74d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\api[1].js

MD5 832e6993cda3469c6a40da72268663ac
SHA1 4650b1e5c601a454d3fd746276fff4cd3dbd54aa
SHA256 0ef1e5d700fb1691e5faa92a14f8a755c8dd4a92ec9b1a2310ad769b225cf46f
SHA512 6aefa1b28c697c81239e47ff57b3b61cc67bdbf820b7eac99f924db2b5093b7d03a029accd7dce42d517bde32cec9f6540082f7557b72bdc3c8da27095d68b80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b687a8d6d7418d51d44442531a8d83ab
SHA1 5b0ec34ed373c97e72cda25162d8076dd282ba68
SHA256 d42deeb79496a26fe50cb3e3653402188aa7c83fd06ebca2bc4efd9838e8fd51
SHA512 b0ade7e4c693a707a3f90745ad00a86a925f2181937f05d1de7c36a8e720c0d467366b3ba624539a0d6f8076e6e7110aa1624da7f1c7e2f72c381e6bd8b9a7bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5

MD5 b1558b58e43ab8a468ec29b48d0a3c92
SHA1 38dc6b391fadef5aa0805c884b881cc5e833f667
SHA256 1fba20b8ee73eaeb26ae859af1f0999a1200cd438d7ac409d34f1d65f6078416
SHA512 bf52d4d34dd209c563843f7189379030ba2d41c95b4378399bb44b28e35f14e09469451a7e6328fc3c5a58dd07cc4f062e7197a9c12d2176781793ba2ce63473

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5

MD5 ff1649757223a9542657979a437f8115
SHA1 979b7434e618669bcbb1cc7ae3be46cf0653a242
SHA256 b3f836dce27bf70fa4270f67d2a79bfab816b6b83a0ed1b28e874421612c645e
SHA512 7310d1a429efeef2aaf47a28cc6759df231a03021b0e0fb1e1fa67463723b9d06533080ab91d066b2c3f4b598287e5034d1e4db1119ba0384978ffaf54aa855b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 bcb7510a55236ea8a1ac07fc315d7749
SHA1 75a77010eeaeff829500328063fde023c0ce9268
SHA256 90c592258f96694d928141763db6f6315444ae7503adb71391aa62477eb384de
SHA512 08927ec377743d21eceeaca3b03f5eecbef20555fe8d4fb3c67c33aa70a43a69a4ac8782c9d64d71500ae4943509e36910ffac18086c11574b28159940595df1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6cc6112ce325265b854a74e80f4dd741
SHA1 21611d5c723bbc4fc391279f281b98099f58f52a
SHA256 07fc75257a2ab32f2b6927457f3e35105c140d4ee320f61edaba83fa3dff96ab
SHA512 cc36e369b4d22343e27b7116c67cf7d05cbdc2490f9acf60fd01b353cba740f5f5292cb93c2d30e93aa5ee9ccd2355e3bdd3c483f85f0d9ac55401b2b8cdf871

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b556f6a6b269b72c07ab8588108b17bd
SHA1 acf6b4613b3871b5516c1e82d03854582aad19ed
SHA256 44e5ed643164ad908501f8f1158ca77c321f701734a632730869753c2e7737a1
SHA512 24ffa6603bd5a0894cc2aac535d9f3bb914db1f4278d5fb9baed232369a24e4c609d567a2431c8c50a2943f61da6a1ebd4e3b39cf959abb0be4559740702a196

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOmCnqEu92Fr1Mu4mxP[1].ttf

MD5 372d0cc3288fe8e97df49742baefce90
SHA1 754d9eaa4a009c42e8d6d40c632a1dad6d44ec21
SHA256 466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f
SHA512 8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

MD5 4d88404f733741eaacfda2e318840a98
SHA1 49e0f3d32666ac36205f84ac7457030ca0a9d95f
SHA256 b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1
SHA512 2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

MD5 4d99b85fa964307056c1410f78f51439
SHA1 f8e30a1a61011f1ee42435d7e18ba7e21d4ee894
SHA256 01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0
SHA512 13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\iUtlSGKYOzM2yMthFEz4EvI4sH8UtHYh8-PL60PBWTs[1].js

MD5 b66c84ab7d1a9f3f3334e7cb0c81e48c
SHA1 ba87d37b29025eb941680c252d522d898ab5088b
SHA256 894b654862983b3336c8cb61144cf812f238b07f14b47621f3e3cbeb43c1593b
SHA512 d46d1b20f9aa559b33f0f8fe3382fd091152bf46347554a8c69b2e02a6f94d1d884c12532255efe28eee95b9d7cfc0ee37466be1b56733a732d41f0387ff6ddb

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZZBC9MN4\www.google[1].xml

MD5 33b8e902e2a8b745953c0965caf3e8f6
SHA1 1c411852a8052689baea24570bb24adaec28f388
SHA256 2cf0113d713c1fcda23f59ce3004d49b18f56515a6af1096491ca591ec9c4596
SHA512 5351be8c7bee5648b09913f1cc57086284d9dea33e35a377108198b4b2d0f03b5ec0a371dbdab1e7ba2d0b956d75dfbb744356638f5d2f7e1afb508d8b78a15d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\logo_48[1].png

MD5 ef9941290c50cd3866e2ba6b793f010d
SHA1 4736508c795667dcea21f8d864233031223b7832
SHA256 1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a
SHA512 a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\webworker[1].js

MD5 62eb30af91dddd7d80f32a890e1e4672
SHA1 37f1141450a98dda7dd8899600e46d8a9f7cc970
SHA256 d601447806420fb7676679daa6dbb113d6617440ecc79998bb013370dc08f4fa
SHA512 16446d271e46b6561b1e26d77394dcc999f49cbcdd9971cc836be2de8048fef46168dc578f02c8b33af492d586d1e636331360a21778eb337ddcd1d9af471da6

\??\pipe\crashpad_1928_AOYWKITCFXURDTHP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C1A79D1FE71F363FF5592ADC5810C56A

MD5 6bda747740e6877414b544dece6279be
SHA1 cc3ee3472e71568520942cd4e97cc3d970d8e1f9
SHA256 bc456e12af010b8bf90d4fd6d55698f05e3effe2d4464f92f8420f2f81daedb9
SHA512 43a95a8f24b256dafab118de14aad83b2bf31740d21953bd9dc7d5bea5389334af6e28e5d77c050fdff87db64876d8f30f78b2105d7a76735c2a7b7ce8ab9b64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C1A79D1FE71F363FF5592ADC5810C56A

MD5 926b73fd15fe6bbe5c32ff53d0239bca
SHA1 05836353da1fc4ddf8dcbd66e3612704f867d314
SHA256 ceec30466be56e86b7d7e9dad38bd495c80426e4611b8cc2798a0f675c0ffe19
SHA512 4199738df2a456b6e419f61c431fc1413c542e39d11e7f960863fe88b6382a0052b48f0cf995e46b06b09a7a301ed7567986a2753b2411b085f4631d3e84320f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8df26fb6-8ca5-4f58-838c-23b63af3aae2.tmp

MD5 ae5b0b5ff305d271ff067af9ac87e978
SHA1 aa7f4fc14fefee604d10a8f1e82c38bf252187de
SHA256 1cdc878d6c3a2c5fea2ed3e1b70a1212d70f21c3b3d549e6f6878467f6dc0109
SHA512 9afa767973e8d22293fbf11ab0bffd289dddcf7b4604416d3f1d412ed8267b7c4a64e50b684d0b34093cfd49c8cfec009b027ce41daeadb2ec1c77a912fd4ab1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\579J00HR.txt

MD5 1cbfbd4f6c5c0ea2eb0d233a1b9e2db7
SHA1 b90d0dc98d4c6cfdf1b70dd66084fd843a8319ad
SHA256 0ea174b2de97fa592d50183997f73c674c9a8f52bab719f66583dccbc3332cab
SHA512 eb3e2bc75ffc693e513598fa8c5c6b3325c72cd61659645fc52bb9c7b0b28bff7f172786ce2e9afcbe1e5c0044820f868fed21e578e7d9cbed91afbfe14a705d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0540b018bd783e5fb690b10a135c5869
SHA1 8e33f947f10cc253ce1d04cea2436a0b48cec962
SHA256 43569358232e4131ca4f60a7c6094434fb0eadddfda125b2e063b6151931a330
SHA512 aa5e124b84fa430738132356ca5dc3402b62fc0e460cb7fa8557e2ce4b5c899f2e73af3aa7ca9bc7e95fd480265a4f4654bbf7becd91360b924dde81f024cf75

memory/632-929-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/632-930-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/632-932-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/632-933-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JDZYOMM3.txt

MD5 e450cf81032515dce0765d4e2739817e
SHA1 1dff752ea8bcae38e31c428bdefcef4bdfe3aa75
SHA256 99f1ad10e4b3012f433cbba014fc2bfc74f7a68ec45d72d68e97f12fe10e354a
SHA512 d0433760f89e5a5267c8f8e57c1f4d3b37802cbd5c9b17160ae273a2c468b3f899d1e6de5e5b0cdb058f34813d8ced5b63f64f1bd23be04aeb873473a91fd578

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f69c822bbbbf514219ebe03ba8cdf6b8
SHA1 0483bbceb721fbb67a17a72cd1dcd1263e4aebca
SHA256 d449187d335119255f1cc2178bed5c0fdf56e1d142493039b9d6a5d0907321db
SHA512 53ebeeb93824c87eaeb0a036ba95079e7dd5737ff02203ad693bbd5e91a7811bc6bf9a155597f584e1723f49bbdda45caf9bda8c8b45cb0b63e9322ca7b1d7fe

memory/632-946-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b150dd08078c8f67f45e96a168bc0c1
SHA1 d9e053a69755c38147457966ae730f9e6d537fe8
SHA256 cede4474a28742de581870df48c5d109bb8106db0a949f5f2970155d096d6023
SHA512 7c62459474ae184413f4608ca62ab50962328507e2503334104d1fdc2fe77bf11dacffe2faf635a4fe0f6ff71f2713131d76a8613d662989a02557f238282675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 452be51208db8c6e28c3d902c4270cfa
SHA1 1b045a47b1af98a1517807c7b1f668eea3d538d8
SHA256 578adc10caee3ebb1edb46c919ef6ac5f36d02d52e6ce6a9bacbb37861e49798
SHA512 8cb6be536a0a6e6013ccb5c269083d89755485976b37eeb545d5bd528cfb799a7550877bde682537d6b04dd32676e07ffacb411411dc9807f3180410896711b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffbae6c68506a63faa9f061d840ab8a7
SHA1 936595577514f4970beadd7d159e9edd72390832
SHA256 92cbf3e68d7ed72c7a0b066a84230f98b5902cc1b298a58594bd5fa797b6d64e
SHA512 214ad30474dd4a130d9990dcf2060e2456f62a3d37aead721ecf084865378201497e5f9ba49499e0ec8be4d4b873ec2d62cb3b75db3855371df18c80d0c99c55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d98d9f049c88b20a8e01e5e37973f89d
SHA1 3046a6e261ab7413675d6ca03e695b66cc2596e9
SHA256 cd2eded5902df37bc3452c791aee5cc45c0b55c005a12316d5fdd85b14df779a
SHA512 45860551e61c2feb7ee9e4a0a2abf07080ff36aa06f1543c6654804b925f8a4b5f4b75fc2b93c057a0ec8ebdf0e01756a0f571d23f5ef2673806b11d393f927b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aa653a6b66959e7d88e0d960364eced
SHA1 415c6220f3b1bae1b03db54b6f79d5efd7f369e9
SHA256 eb7f858d482e4f7fbb9093f83eca8c0f2a0de356a535a12543d6c55d45167325
SHA512 5b1f3ea5795d63a22cf3fe4dfcbfe5a82f21627f5f6ea9494dc74864ce433e3fd2dc254060d1189b1be0f633ff8fba3ab4431e95361237e2ce6de88b6821e6c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f51dc468dba95a13b2a65a50ec2bb009
SHA1 f6ac9af2e0736ea9277ec4e835cbabcceab9a4b7
SHA256 ae46750771d930b5ff3d5eec3edf5660075601864fccd3ffa73d28030521b3e8
SHA512 ef85a930d8530da51c687b8a6dc177d36ec577a9ddf8a3c934a5dc6f5769fb692903f015782aa3168d9e53ee4cf2dcadf7c974dd00771e0beb8dd82d1fd2153d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 3eb7f40807623e4712389516b85daa43
SHA1 194c3775bf93def9910322e655e10d4b6ddb906e
SHA256 321be4019330168b230555751e1fe54f79f3688d89dc5fda7a6aab3c2b4ea0ee
SHA512 a11ceb08971e3c66ad81ff1eee59f4e6f409421ce9fd5de694d9f3524ee5a2d93a11c6219f74b0e101c4982886a58dc49b3892ebd8abed6fc77689079f79c729

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3766897bebed32f0c2a8f24ccb484c6a
SHA1 9863359e165f0b2395e801a7aa37e8d3d4417eca
SHA256 c6e733235faa22b208caf213c6b68d850a060386b2c0794be7dfbcbccb793c6d
SHA512 16de5d1883ce1f04a973b0ed26aba69a776e12d92a3a3d87afc14d6a635a78f64072e2af00e1ec9c9b4ce244129b0af61d2e58f924da8cf88a6989c1f2f310ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bf5a4250191c84dad4f3b0782584b83
SHA1 cde2970e21aa88a9c24f71f820aedc490c91d2ab
SHA256 a63411b5bc651712c150b33bb671a2e14f67238b7d06ecb2f89dc029e5c0f280
SHA512 5318dd766de6f19e241b1cd69260a9622eaad909fea9f97365f77dd84e29b7e19179135c1338973117b798aac25fc993ff80499010e9b5224f7e6faba13916d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec4530c934a969d196f512a2dd645464
SHA1 5075d0d22c40c0af547b25bf48474bd078eaca35
SHA256 8d2a7a4d5c609c033527467ba829c47b6ee14de819b069d563d02855012bdcec
SHA512 052d019fe1d0b801c297fbdc644381ed320b5493031befd5ff17f4f2376b3d140c967bf11240afc25bc7f1b745e826c6761937bd9280ad28e58f42de46380fcb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YE7HRTFG.txt

MD5 7b041c9bc480d03541e10c3e802ec75d
SHA1 dffac761b749dbcab2d13104087f000a8886c7c8
SHA256 4545c3f985381f4384c5162d6f622e09a887f969f6a1ab8eb32e9e624734e2ec
SHA512 8a89fd6150c0cbee17b34d2d1bbd0befbae9135269cdc4f4d494dae20914612585ff4bda5c9780c2a5277764597e95a15ac775207b9deb6a8c2d1e9edb22951f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H353K9Y1.txt

MD5 99c36c2b70aa83d9297a9710827753c2
SHA1 c4c77472105942ef3f6352aaa28f4ecac9aa9851
SHA256 41c0808e111b4ca9108495ca80ee68608387e2bd8baeef62e0819120c4e61eca
SHA512 88c12ef4fbedcace9d0d28a3437f4b27cc67d3209d97bca7a15184a897e31bdd00cf0e33d7ef6261fe1fdcd1fadb47227b4cd14a625711d73f4fe5797bc605ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5264b73f784e9d74f47167eb44a871a4
SHA1 19a58945fe59f8fa53388243a5a62df13ec2cfde
SHA256 21b63b1198154dbd76fcb24e81e3ed1d5818cbc7d901cce72f64a11ea19ebd47
SHA512 37d9c8858a78db05d71f38aeca40b54a064984197c8868c2bea56dc1f6d33aa73482788f8c37b75aa16799344c9533ac7a17af2d57840c4a2b3485475dfd6ea6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:37

Reported

2024-06-20 20:40

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp

Files

memory/1724-0-0x0000000000BE0000-0x0000000000BF8000-memory.dmp

memory/1724-1-0x00007FFF67033000-0x00007FFF67035000-memory.dmp

memory/1724-2-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

memory/1736-3-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u21fbai5.kcj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1736-9-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

memory/1736-15-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

memory/1736-14-0x000002883B8D0000-0x000002883B8F2000-memory.dmp

memory/1736-18-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04f1d68afbed6b13399edfae1e9b1472
SHA1 8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256 f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA512 30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

memory/1724-46-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp