Analysis Overview
SHA256
ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Threat Level: Known bad
The file asdasdad.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Drops startup file
Looks up external IP address via web service
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: CmdExeWriteProcessMemorySpam
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:37
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:37
Reported
2024-06-20 20:40
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MEMZ.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b9c2d883d300b8438f464723a166174200000000020000000000106600000001000020000000cf96c7ed55c06bcbb487f7c7c06cd319d2070518a4e63551ae6c7b3ad9a72480000000000e80000000020000200000009660092b75ddcc3e52b2fb5c1b959d8e798679895633f52c95fb2456ff9091ea2000000023b5cfe33789142f715384a5f0178866c8ff5baeeb3f3cf5deebc25a5927d11540000000fd58db3de3dad3818be07bf73290c042ed3973b29fbf5461f30e27a57239c76b2869eeb23a83579151696d387b4567554dd236a806c518459381fd82dc13121e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11970EC1-2F45-11EF-92E0-EA483E0BCDAF} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1078f6df51c3da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b9c2d883d300b8438f464723a1661742000000000200000000001066000000010000200000003502b6779fea0a2c4e8a7d721646a931f205d8f0408ba76829a6b7464d62d195000000000e8000000002000020000000a806dac786cd709f786a68ee210566646914e4d3ae8beb85dee0610a449058569000000005dfd33c7eac20e9836c9ed09fc722588e0a7ff8331768d33c31c141d8eb373667cb367e5aa025c7cfcf0a2134588bc48635a412e1c122bd48386bd10535f50290a60e542b44d9e20fbcd7a0992c2f9dc672bd264e7b97886258b130ea89058e25db5d811b070b75b7287cca4d6c8516b36eb25334a31e9f7c52b34fbe928a1b742eaaa4321c5e9ff836bb3f5cb3a19f400000009864a0777b0cf02b5eb68b2c29122da8bb46f9a8a1c1cf0ab2e34ffa4d531fb301b573d1d43f912cfe194dc06f4de63f9522d80abcc6b0f9fc59eb2c2be8bbfe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425077785" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MEMZ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\asdasdad.exe
"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ixsjxa.bat" "
C:\Windows\system32\cscript.exe
cscript x.js
C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+2+buy+weed
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:472083 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1fa9758,0x7fef1fa9768,0x7fef1fa9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2716 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 --field-trial-handle=1248,i,15353033206848967607,17439005234832127976,131072 /prefetch:8
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1127441 /prefetch:2
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1324053 /prefetch:2
C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:1127457 /prefetch:2
C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 147.185.221.17:29206 | silver-bowl.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | google.co.ck | udp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.228:80 | google.co.ck | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
Files
memory/2248-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp
memory/2248-1-0x0000000000DC0000-0x0000000000DD8000-memory.dmp
memory/2248-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
memory/2648-7-0x0000000002E00000-0x0000000002E80000-memory.dmp
memory/2648-8-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2648-9-0x00000000027E0000-0x00000000027E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a38917833783c3a23193dddbda2a6a61 |
| SHA1 | 0ad68fb69d9d1bcf270070ac99809dcdd797b263 |
| SHA256 | f972fc252bdebae3cd20cd3064c1d900e43132ebba825447d49a97de90ca7092 |
| SHA512 | 55abdaee60bc7d6c2171e1019def57ecc6b59688f4fa38ce6a79a1a0a2c65fb9ee49b91051e37054172ac7042b8e068644b4c9794baf2fbd906a6c5e785714ab |
memory/2520-15-0x000000001B530000-0x000000001B812000-memory.dmp
memory/2520-16-0x0000000002690000-0x0000000002698000-memory.dmp
memory/2248-26-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp
memory/2248-27-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ixsjxa.bat
| MD5 | bbae81b88416d8fba76dd3145a831d19 |
| SHA1 | 42fa0e1b90ad49f66d4ab96c8cca02f81248da8b |
| SHA256 | 5c3fde60c178ed0306dd3e396032acdc9bc55c690e27a926923dd18238bbd64c |
| SHA512 | f03ac63bbb504cb53dc896c2bec8666257034b1c4a5827a4ad75c434af05f1cd631a814cc8689e60210e4ca757e61390db8d222f05bf9f3a0fa7026bdf8c4368 |
C:\Users\Admin\AppData\Local\Temp\x
| MD5 | 20e335859ff991575cf1ddf538e5817c |
| SHA1 | 1e81b804d67d6c0e22c0cef7e1cb9f86ce0ef5ee |
| SHA256 | 88339750431112ed60cdf9bdb7697434ba9b38e2d15ad604c4462705bc1bdfcf |
| SHA512 | 012251b342722cf35ebec2c7d071db505a992d81fc4b3492cd87640b5c955dc084825fc5e72edc821f4c481867183f21d26cd904fe7f0373d1156332f87b031d |
C:\Users\Admin\AppData\Local\Temp\x.js
| MD5 | 8eec8704d2a7bc80b95b7460c06f4854 |
| SHA1 | 1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326 |
| SHA256 | aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596 |
| SHA512 | e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210 |
C:\Users\Admin\AppData\Local\Temp\x
| MD5 | 5ce1a2162bf5e16485f5e263b3cc5cf5 |
| SHA1 | e9ec3e06bef08fcf29be35c6a4b2217a8328133c |
| SHA256 | 0557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43 |
| SHA512 | ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1 |
C:\Users\Admin\AppData\Local\Temp\z.zip
| MD5 | d2ea024b943caa1361833885b832d20b |
| SHA1 | 1e17c27a3260862645bdaff5cf82c44172d4df9a |
| SHA256 | 39df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76 |
| SHA512 | 7b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb |
C:\Users\Admin\AppData\Roaming\MEMZ.exe
| MD5 | 9c642c5b111ee85a6bccffc7af896a51 |
| SHA1 | eca8571b994fd40e2018f48c214fab6472a98bab |
| SHA256 | 4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5 |
| SHA512 | 23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat
| MD5 | fd9c682e7b16003d7a9853ac3ead2572 |
| SHA1 | 7de5c5830611f89b68ff9968a16dbf8d74e27791 |
| SHA256 | 5c05692b92e04c0f511afeacb7296fb1f3d7f93bfa2ad68718bde3e87db5e81f |
| SHA512 | 1aa594b71d3061df92b6a563b29a8060676ee2c62d7d7cf938b6df1f7a235f85de046992539c09c091dce99e49aa54efeb5c9e57cd7adcff25b35c22d2dd6799 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\recaptcha__en[1].js
| MD5 | 1bb4ebd5a1126f7287c58e242a7188e2 |
| SHA1 | f06c98f9b76c942631ca4ced196b6ccff5aae339 |
| SHA256 | 4b20abde9f7eb27dc344dbbb35f59aba01e4cc70262c07c260beadef9072f25e |
| SHA512 | b51fe40ab04c98c21b1f233cb335f5d1ce2f496a2b07544025e5a89c171413ed1755bd5d9900ea43f0495fce190d4607b6d53c3d8078ebfaaecefa97471c8abe |
C:\Users\Admin\AppData\Local\Temp\TarDB35.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\CabDB34.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5d2b9e5b47829ffe420cdce3cc807f8 |
| SHA1 | 52699b9c39f0b969bd144e33bc5b3a076ffd3533 |
| SHA256 | 42bfd3c1f3b221db7e9ce2183d15fb8b522555495626368c60200d4f3fb1806a |
| SHA512 | 62e15152fdcbc22d0285a9d6737388bec57f89bf9cd05c7064d4cde9c4c14d7b937e0b0999b7a27f7d75d9d841d1860d31a06dffb70c95348117fecca843facd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDCA3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05bd4a716ac1b1297f849c6406417f7a |
| SHA1 | e7c7748990469e5f3cabb297f875b620ef648031 |
| SHA256 | f8c2d4653401db010842ec4396552eb5c713d343bbc3faf811d808dfdc21ba03 |
| SHA512 | 5daf570ca0841c0af2134aa6b332e04e0643d1366e22352075ef90b24942a795eb691e7b9a2b44acdd151a314e32ba55c8ce3f9af65585de404c85367bd3fdfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fcc3279917d7c187a0c14731c55e90f |
| SHA1 | 0db0bc3a4d54eee947fc4e8a80ebf7ddd7441de9 |
| SHA256 | 9c7b8fb7f1795efce013b3c2ec9adf07cce7130a9f743e31a5bec6e5fb92a8b2 |
| SHA512 | 558dc8e05256220e2e430527863b26ca81ac0cfcc405a02d88ffcc70d313d42115fe1b0ea2f4344a3b58424d0991ac52afbe93b9a8f02cda070214cbb7c29227 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\styles__ltr[1].css
| MD5 | 4adccf70587477c74e2fcd636e4ec895 |
| SHA1 | af63034901c98e2d93faa7737f9c8f52e302d88b |
| SHA256 | 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d |
| SHA512 | d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf140a94f5a094395129001ebe7c0999 |
| SHA1 | 5a16f65ca1084807d446275af6557767c930b382 |
| SHA256 | d038b7d5a4082a8cede97726491ad79462f66eba2a14252e3af1a36ba81eca0a |
| SHA512 | efee74fc967217498e5372be145426fb438c790d18bfffbba57eba4261153763c4266234773032935758d05e947a42d3871975787b7239023d9e491ea2c37953 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7fb19974fd768af3515e1dce80ebe13a |
| SHA1 | c6542f4b8d9a7254cf85f987cfd01ccb51b543b2 |
| SHA256 | 37b67bfcffc59d94f54ff67f931e876d41a34e22fe9882c034084534a534aad7 |
| SHA512 | afb8a8ebe44784c9c61fe8a6da20b601973ee503742625450aeccd9eb55d05d5e0a4b52f08609511d2596bb7b9ea9b0d03ffefdf2a966f3cbf5c4184387bd33b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0bb85542b3e694013e6a23e3f15e017 |
| SHA1 | d94276aaa87e9b2d9030680acb4cf2f6e42f7b0e |
| SHA256 | 11a9c2a17277f31dceee29ba41eaab3f54ba3e11f8e903d659e2701d0e77b566 |
| SHA512 | 63a3d747b45de72d983150049053a291d3fe55ce0e80d5d39602ee8f982da6cc3c10d13f7c25f85216019f23bc24d44d1d2a2f494e2bb38d4b74bec68bbf33ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d05285051c17e2b7df544d4b566ac495 |
| SHA1 | aedd3627c4544e023bbacb504831e4455e5b8fb1 |
| SHA256 | cd313ddc3227f2a707beba8cc9428d207d855bba7a75a5a7f467e05a258b9330 |
| SHA512 | 0a106815c17bd09a7ab303a0965bde93d245ee0af4b925dc1cc7cffeb5f8e52a404dc215e2bb5ff602b9895fe0dc6264aaab9882802f00fa5e96db88d1490209 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b18b5acab463b8e8cdd8820eb6fe5793 |
| SHA1 | d55f7b88c830a2a76d975e2f62a4f35bab9c3f24 |
| SHA256 | c517336164aa37b064275aafd97d6c9243c4090b66a8f359b7d7a6c2fb8785af |
| SHA512 | 1ece0c0f508a906697fb37eed0ef954a7cdfc22dc9db481b9a1925bd04fd4b1cc8ea7784658580170c68feb52bacf1732bf5860b509687f475edc6ea603d743f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 892fe6ce316872ddbd174734d7f44c3e |
| SHA1 | 0ad6016deba3f809c38912c3f018d4cef59bfe3c |
| SHA256 | c168fa40aba6fcc82e98075be0e5def3232ce202d9b81cf6b973ac9c09004eb5 |
| SHA512 | f7a400eba953b54f5e8e53832d3101ec5a48ab447707deb58b7cab261e57aa51c60bb43a942575412c962ca8f93a2ea3969eaaf9896b9d7495a9ebced9417514 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a499d7a0dd0e094cc3afbef4a0824ceb |
| SHA1 | 57e118484bcbb76a45b8992a296d091d8635698e |
| SHA256 | 93c9b5d1c7378ffa37681e6304d3726aa89661f5d5cbd5a765f93012844c96a4 |
| SHA512 | 2766dc382153334c5582925928c5d662284ad52b2606f9d49c05904a7708167805bf2481f897d9098ab3b5a1132ee9cdc3835b52f3babce90d95d1be89a6deca |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9AIQ0IY.txt
| MD5 | aef47c1095f8fb815acf148654ce7139 |
| SHA1 | 5f9d819268bb9f6d4902ab82a7dca1752bcffa7b |
| SHA256 | 82f1f8f3829294f3fbc35bb8886df607141044758c78267b06da3121d24ad1bf |
| SHA512 | 12a7b0040f48b9dc56ff526b2a0f433703e413fd646e9ca798696aee19af4b560b38dc5beb2c7b8fda22cbb46832b93b9a2fddc03c866eb983220220084f74d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\api[1].js
| MD5 | 832e6993cda3469c6a40da72268663ac |
| SHA1 | 4650b1e5c601a454d3fd746276fff4cd3dbd54aa |
| SHA256 | 0ef1e5d700fb1691e5faa92a14f8a755c8dd4a92ec9b1a2310ad769b225cf46f |
| SHA512 | 6aefa1b28c697c81239e47ff57b3b61cc67bdbf820b7eac99f924db2b5093b7d03a029accd7dce42d517bde32cec9f6540082f7557b72bdc3c8da27095d68b80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b687a8d6d7418d51d44442531a8d83ab |
| SHA1 | 5b0ec34ed373c97e72cda25162d8076dd282ba68 |
| SHA256 | d42deeb79496a26fe50cb3e3653402188aa7c83fd06ebca2bc4efd9838e8fd51 |
| SHA512 | b0ade7e4c693a707a3f90745ad00a86a925f2181937f05d1de7c36a8e720c0d467366b3ba624539a0d6f8076e6e7110aa1624da7f1c7e2f72c381e6bd8b9a7bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5
| MD5 | b1558b58e43ab8a468ec29b48d0a3c92 |
| SHA1 | 38dc6b391fadef5aa0805c884b881cc5e833f667 |
| SHA256 | 1fba20b8ee73eaeb26ae859af1f0999a1200cd438d7ac409d34f1d65f6078416 |
| SHA512 | bf52d4d34dd209c563843f7189379030ba2d41c95b4378399bb44b28e35f14e09469451a7e6328fc3c5a58dd07cc4f062e7197a9c12d2176781793ba2ce63473 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5
| MD5 | ff1649757223a9542657979a437f8115 |
| SHA1 | 979b7434e618669bcbb1cc7ae3be46cf0653a242 |
| SHA256 | b3f836dce27bf70fa4270f67d2a79bfab816b6b83a0ed1b28e874421612c645e |
| SHA512 | 7310d1a429efeef2aaf47a28cc6759df231a03021b0e0fb1e1fa67463723b9d06533080ab91d066b2c3f4b598287e5034d1e4db1119ba0384978ffaf54aa855b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | bcb7510a55236ea8a1ac07fc315d7749 |
| SHA1 | 75a77010eeaeff829500328063fde023c0ce9268 |
| SHA256 | 90c592258f96694d928141763db6f6315444ae7503adb71391aa62477eb384de |
| SHA512 | 08927ec377743d21eceeaca3b03f5eecbef20555fe8d4fb3c67c33aa70a43a69a4ac8782c9d64d71500ae4943509e36910ffac18086c11574b28159940595df1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 6cc6112ce325265b854a74e80f4dd741 |
| SHA1 | 21611d5c723bbc4fc391279f281b98099f58f52a |
| SHA256 | 07fc75257a2ab32f2b6927457f3e35105c140d4ee320f61edaba83fa3dff96ab |
| SHA512 | cc36e369b4d22343e27b7116c67cf7d05cbdc2490f9acf60fd01b353cba740f5f5292cb93c2d30e93aa5ee9ccd2355e3bdd3c483f85f0d9ac55401b2b8cdf871 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b556f6a6b269b72c07ab8588108b17bd |
| SHA1 | acf6b4613b3871b5516c1e82d03854582aad19ed |
| SHA256 | 44e5ed643164ad908501f8f1158ca77c321f701734a632730869753c2e7737a1 |
| SHA512 | 24ffa6603bd5a0894cc2aac535d9f3bb914db1f4278d5fb9baed232369a24e4c609d567a2431c8c50a2943f61da6a1ebd4e3b39cf959abb0be4559740702a196 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOmCnqEu92Fr1Mu4mxP[1].ttf
| MD5 | 372d0cc3288fe8e97df49742baefce90 |
| SHA1 | 754d9eaa4a009c42e8d6d40c632a1dad6d44ec21 |
| SHA256 | 466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f |
| SHA512 | 8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf
| MD5 | 4d88404f733741eaacfda2e318840a98 |
| SHA1 | 49e0f3d32666ac36205f84ac7457030ca0a9d95f |
| SHA256 | b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1 |
| SHA512 | 2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf
| MD5 | 4d99b85fa964307056c1410f78f51439 |
| SHA1 | f8e30a1a61011f1ee42435d7e18ba7e21d4ee894 |
| SHA256 | 01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0 |
| SHA512 | 13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\iUtlSGKYOzM2yMthFEz4EvI4sH8UtHYh8-PL60PBWTs[1].js
| MD5 | b66c84ab7d1a9f3f3334e7cb0c81e48c |
| SHA1 | ba87d37b29025eb941680c252d522d898ab5088b |
| SHA256 | 894b654862983b3336c8cb61144cf812f238b07f14b47621f3e3cbeb43c1593b |
| SHA512 | d46d1b20f9aa559b33f0f8fe3382fd091152bf46347554a8c69b2e02a6f94d1d884c12532255efe28eee95b9d7cfc0ee37466be1b56733a732d41f0387ff6ddb |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZZBC9MN4\www.google[1].xml
| MD5 | 33b8e902e2a8b745953c0965caf3e8f6 |
| SHA1 | 1c411852a8052689baea24570bb24adaec28f388 |
| SHA256 | 2cf0113d713c1fcda23f59ce3004d49b18f56515a6af1096491ca591ec9c4596 |
| SHA512 | 5351be8c7bee5648b09913f1cc57086284d9dea33e35a377108198b4b2d0f03b5ec0a371dbdab1e7ba2d0b956d75dfbb744356638f5d2f7e1afb508d8b78a15d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\logo_48[1].png
| MD5 | ef9941290c50cd3866e2ba6b793f010d |
| SHA1 | 4736508c795667dcea21f8d864233031223b7832 |
| SHA256 | 1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a |
| SHA512 | a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\webworker[1].js
| MD5 | 62eb30af91dddd7d80f32a890e1e4672 |
| SHA1 | 37f1141450a98dda7dd8899600e46d8a9f7cc970 |
| SHA256 | d601447806420fb7676679daa6dbb113d6617440ecc79998bb013370dc08f4fa |
| SHA512 | 16446d271e46b6561b1e26d77394dcc999f49cbcdd9971cc836be2de8048fef46168dc578f02c8b33af492d586d1e636331360a21778eb337ddcd1d9af471da6 |
\??\pipe\crashpad_1928_AOYWKITCFXURDTHP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C1A79D1FE71F363FF5592ADC5810C56A
| MD5 | 6bda747740e6877414b544dece6279be |
| SHA1 | cc3ee3472e71568520942cd4e97cc3d970d8e1f9 |
| SHA256 | bc456e12af010b8bf90d4fd6d55698f05e3effe2d4464f92f8420f2f81daedb9 |
| SHA512 | 43a95a8f24b256dafab118de14aad83b2bf31740d21953bd9dc7d5bea5389334af6e28e5d77c050fdff87db64876d8f30f78b2105d7a76735c2a7b7ce8ab9b64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C1A79D1FE71F363FF5592ADC5810C56A
| MD5 | 926b73fd15fe6bbe5c32ff53d0239bca |
| SHA1 | 05836353da1fc4ddf8dcbd66e3612704f867d314 |
| SHA256 | ceec30466be56e86b7d7e9dad38bd495c80426e4611b8cc2798a0f675c0ffe19 |
| SHA512 | 4199738df2a456b6e419f61c431fc1413c542e39d11e7f960863fe88b6382a0052b48f0cf995e46b06b09a7a301ed7567986a2753b2411b085f4631d3e84320f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8df26fb6-8ca5-4f58-838c-23b63af3aae2.tmp
| MD5 | ae5b0b5ff305d271ff067af9ac87e978 |
| SHA1 | aa7f4fc14fefee604d10a8f1e82c38bf252187de |
| SHA256 | 1cdc878d6c3a2c5fea2ed3e1b70a1212d70f21c3b3d549e6f6878467f6dc0109 |
| SHA512 | 9afa767973e8d22293fbf11ab0bffd289dddcf7b4604416d3f1d412ed8267b7c4a64e50b684d0b34093cfd49c8cfec009b027ce41daeadb2ec1c77a912fd4ab1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\579J00HR.txt
| MD5 | 1cbfbd4f6c5c0ea2eb0d233a1b9e2db7 |
| SHA1 | b90d0dc98d4c6cfdf1b70dd66084fd843a8319ad |
| SHA256 | 0ea174b2de97fa592d50183997f73c674c9a8f52bab719f66583dccbc3332cab |
| SHA512 | eb3e2bc75ffc693e513598fa8c5c6b3325c72cd61659645fc52bb9c7b0b28bff7f172786ce2e9afcbe1e5c0044820f868fed21e578e7d9cbed91afbfe14a705d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0540b018bd783e5fb690b10a135c5869 |
| SHA1 | 8e33f947f10cc253ce1d04cea2436a0b48cec962 |
| SHA256 | 43569358232e4131ca4f60a7c6094434fb0eadddfda125b2e063b6151931a330 |
| SHA512 | aa5e124b84fa430738132356ca5dc3402b62fc0e460cb7fa8557e2ce4b5c899f2e73af3aa7ca9bc7e95fd480265a4f4654bbf7becd91360b924dde81f024cf75 |
memory/632-929-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/632-930-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/632-932-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/632-933-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JDZYOMM3.txt
| MD5 | e450cf81032515dce0765d4e2739817e |
| SHA1 | 1dff752ea8bcae38e31c428bdefcef4bdfe3aa75 |
| SHA256 | 99f1ad10e4b3012f433cbba014fc2bfc74f7a68ec45d72d68e97f12fe10e354a |
| SHA512 | d0433760f89e5a5267c8f8e57c1f4d3b37802cbd5c9b17160ae273a2c468b3f899d1e6de5e5b0cdb058f34813d8ced5b63f64f1bd23be04aeb873473a91fd578 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f69c822bbbbf514219ebe03ba8cdf6b8 |
| SHA1 | 0483bbceb721fbb67a17a72cd1dcd1263e4aebca |
| SHA256 | d449187d335119255f1cc2178bed5c0fdf56e1d142493039b9d6a5d0907321db |
| SHA512 | 53ebeeb93824c87eaeb0a036ba95079e7dd5737ff02203ad693bbd5e91a7811bc6bf9a155597f584e1723f49bbdda45caf9bda8c8b45cb0b63e9322ca7b1d7fe |
memory/632-946-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b150dd08078c8f67f45e96a168bc0c1 |
| SHA1 | d9e053a69755c38147457966ae730f9e6d537fe8 |
| SHA256 | cede4474a28742de581870df48c5d109bb8106db0a949f5f2970155d096d6023 |
| SHA512 | 7c62459474ae184413f4608ca62ab50962328507e2503334104d1fdc2fe77bf11dacffe2faf635a4fe0f6ff71f2713131d76a8613d662989a02557f238282675 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 452be51208db8c6e28c3d902c4270cfa |
| SHA1 | 1b045a47b1af98a1517807c7b1f668eea3d538d8 |
| SHA256 | 578adc10caee3ebb1edb46c919ef6ac5f36d02d52e6ce6a9bacbb37861e49798 |
| SHA512 | 8cb6be536a0a6e6013ccb5c269083d89755485976b37eeb545d5bd528cfb799a7550877bde682537d6b04dd32676e07ffacb411411dc9807f3180410896711b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffbae6c68506a63faa9f061d840ab8a7 |
| SHA1 | 936595577514f4970beadd7d159e9edd72390832 |
| SHA256 | 92cbf3e68d7ed72c7a0b066a84230f98b5902cc1b298a58594bd5fa797b6d64e |
| SHA512 | 214ad30474dd4a130d9990dcf2060e2456f62a3d37aead721ecf084865378201497e5f9ba49499e0ec8be4d4b873ec2d62cb3b75db3855371df18c80d0c99c55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d98d9f049c88b20a8e01e5e37973f89d |
| SHA1 | 3046a6e261ab7413675d6ca03e695b66cc2596e9 |
| SHA256 | cd2eded5902df37bc3452c791aee5cc45c0b55c005a12316d5fdd85b14df779a |
| SHA512 | 45860551e61c2feb7ee9e4a0a2abf07080ff36aa06f1543c6654804b925f8a4b5f4b75fc2b93c057a0ec8ebdf0e01756a0f571d23f5ef2673806b11d393f927b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6aa653a6b66959e7d88e0d960364eced |
| SHA1 | 415c6220f3b1bae1b03db54b6f79d5efd7f369e9 |
| SHA256 | eb7f858d482e4f7fbb9093f83eca8c0f2a0de356a535a12543d6c55d45167325 |
| SHA512 | 5b1f3ea5795d63a22cf3fe4dfcbfe5a82f21627f5f6ea9494dc74864ce433e3fd2dc254060d1189b1be0f633ff8fba3ab4431e95361237e2ce6de88b6821e6c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f51dc468dba95a13b2a65a50ec2bb009 |
| SHA1 | f6ac9af2e0736ea9277ec4e835cbabcceab9a4b7 |
| SHA256 | ae46750771d930b5ff3d5eec3edf5660075601864fccd3ffa73d28030521b3e8 |
| SHA512 | ef85a930d8530da51c687b8a6dc177d36ec577a9ddf8a3c934a5dc6f5769fb692903f015782aa3168d9e53ee4cf2dcadf7c974dd00771e0beb8dd82d1fd2153d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 3eb7f40807623e4712389516b85daa43 |
| SHA1 | 194c3775bf93def9910322e655e10d4b6ddb906e |
| SHA256 | 321be4019330168b230555751e1fe54f79f3688d89dc5fda7a6aab3c2b4ea0ee |
| SHA512 | a11ceb08971e3c66ad81ff1eee59f4e6f409421ce9fd5de694d9f3524ee5a2d93a11c6219f74b0e101c4982886a58dc49b3892ebd8abed6fc77689079f79c729 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3766897bebed32f0c2a8f24ccb484c6a |
| SHA1 | 9863359e165f0b2395e801a7aa37e8d3d4417eca |
| SHA256 | c6e733235faa22b208caf213c6b68d850a060386b2c0794be7dfbcbccb793c6d |
| SHA512 | 16de5d1883ce1f04a973b0ed26aba69a776e12d92a3a3d87afc14d6a635a78f64072e2af00e1ec9c9b4ce244129b0af61d2e58f924da8cf88a6989c1f2f310ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bf5a4250191c84dad4f3b0782584b83 |
| SHA1 | cde2970e21aa88a9c24f71f820aedc490c91d2ab |
| SHA256 | a63411b5bc651712c150b33bb671a2e14f67238b7d06ecb2f89dc029e5c0f280 |
| SHA512 | 5318dd766de6f19e241b1cd69260a9622eaad909fea9f97365f77dd84e29b7e19179135c1338973117b798aac25fc993ff80499010e9b5224f7e6faba13916d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec4530c934a969d196f512a2dd645464 |
| SHA1 | 5075d0d22c40c0af547b25bf48474bd078eaca35 |
| SHA256 | 8d2a7a4d5c609c033527467ba829c47b6ee14de819b069d563d02855012bdcec |
| SHA512 | 052d019fe1d0b801c297fbdc644381ed320b5493031befd5ff17f4f2376b3d140c967bf11240afc25bc7f1b745e826c6761937bd9280ad28e58f42de46380fcb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YE7HRTFG.txt
| MD5 | 7b041c9bc480d03541e10c3e802ec75d |
| SHA1 | dffac761b749dbcab2d13104087f000a8886c7c8 |
| SHA256 | 4545c3f985381f4384c5162d6f622e09a887f969f6a1ab8eb32e9e624734e2ec |
| SHA512 | 8a89fd6150c0cbee17b34d2d1bbd0befbae9135269cdc4f4d494dae20914612585ff4bda5c9780c2a5277764597e95a15ac775207b9deb6a8c2d1e9edb22951f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H353K9Y1.txt
| MD5 | 99c36c2b70aa83d9297a9710827753c2 |
| SHA1 | c4c77472105942ef3f6352aaa28f4ecac9aa9851 |
| SHA256 | 41c0808e111b4ca9108495ca80ee68608387e2bd8baeef62e0819120c4e61eca |
| SHA512 | 88c12ef4fbedcace9d0d28a3437f4b27cc67d3209d97bca7a15184a897e31bdd00cf0e33d7ef6261fe1fdcd1fadb47227b4cd14a625711d73f4fe5797bc605ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5264b73f784e9d74f47167eb44a871a4 |
| SHA1 | 19a58945fe59f8fa53388243a5a62df13ec2cfde |
| SHA256 | 21b63b1198154dbd76fcb24e81e3ed1d5818cbc7d901cce72f64a11ea19ebd47 |
| SHA512 | 37d9c8858a78db05d71f38aeca40b54a064984197c8868c2bea56dc1f6d33aa73482788f8c37b75aa16799344c9533ac7a17af2d57840c4a2b3485475dfd6ea6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 20:37
Reported
2024-06-20 20:40
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1724 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1724 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1724 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1724 wrote to memory of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1724 wrote to memory of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\asdasdad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\asdasdad.exe
"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | silver-bowl.gl.at.ply.gg | udp |
Files
memory/1724-0-0x0000000000BE0000-0x0000000000BF8000-memory.dmp
memory/1724-1-0x00007FFF67033000-0x00007FFF67035000-memory.dmp
memory/1724-2-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/1736-3-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u21fbai5.kcj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1736-9-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/1736-15-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/1736-14-0x000002883B8D0000-0x000002883B8F2000-memory.dmp
memory/1736-18-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04f1d68afbed6b13399edfae1e9b1472 |
| SHA1 | 8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0 |
| SHA256 | f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de |
| SHA512 | 30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75 |
memory/1724-46-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp