Analysis Overview
SHA256
bed864cabab1670f24a99a1313f207d8fe4015195d6f23c2f91d248f166d8210
Threat Level: Known bad
The file ШЕДЕВРОxworm.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Umbral payload
Detect Xworm Payload
Umbral
Command and Scripting Interpreter: PowerShell
.NET Reactor proctector
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 22:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 22:38
Reported
2024-06-25 22:39
Platform
win11-20240508-en
Max time kernel
3s
Max time network
18s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ШЕДЕВРОxworm.exe
"C:\Users\Admin\AppData\Local\Temp\ШЕДЕВРОxworm.exe"
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
C:\Users\Admin\AppData\Local\Temp\Активация Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Активация Nursultan.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB Setup.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Запусть.exe
"C:\Users\Admin\AppData\Local\Temp\Запусть.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\CHECK_CHEATS_PRIVATE.exe
"C:\Users\Admin\AppData\Local\Temp\CHECK_CHEATS_PRIVATE.exe"
C:\Users\Admin\AppData\Local\Temp\AntiRemoteDesktop_protected.exe
"C:\Users\Admin\AppData\Local\Temp\AntiRemoteDesktop_protected.exe"
C:\Users\Admin\AppData\Local\Temp\Meatspin.exe
"C:\Users\Admin\AppData\Local\Temp\Meatspin.exe"
C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe
"C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ChainReviewcrt\YCVmOKLi2cE5f8VDee8IIrvR4EqTMXF6LxehtVVFhgDVO8nr3r.vbe"
C:\Users\Admin\AppData\Local\Temp\скример.exe
"C:\Users\Admin\AppData\Local\Temp\скример.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\headache.exe
"C:\Users\Admin\AppData\Local\Temp\headache.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверочка.exe'
C:\Users\Admin\AppData\Local\Temp\проверочка.exe
"C:\Users\Admin\AppData\Local\Temp\проверочка.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\check.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
C:\Users\Admin\AppData\Local\Temp\check.exe
"C:\Users\Admin\AppData\Local\Temp\check.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ChainReviewcrt\GvwJ8NcbCdMxeCxLRM27L6ajB5P7LjMMpRKH.bat" "
C:\ChainReviewcrt\Blockbrowserinto.exe
"C:\ChainReviewcrt/Blockbrowserinto.exe"
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3356.0.1929222151\1205504640" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9de889c-8ab6-418f-ab40-ba38398eb980} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" 1848 1773eb0ca58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3356.1.222009380\1618356292" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {064b88cb-64d6-4cd0-ae21-04fba2147927} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" 2420 17731e85f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3356.2.1439946603\1638331931" -childID 1 -isForBrowser -prefsHandle 2740 -prefMapHandle 2696 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {641cce54-308d-45ff-a417-dad520f2cc99} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" 2704 177422bb858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3356.3.651990240\407459290" -childID 2 -isForBrowser -prefsHandle 3284 -prefMapHandle 2780 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e21cb0-dfda-476b-9597-f8b7584cc537} 3356 "\\.\pipe\gecko-crash-server-pipe.3356" 3260 17740e16e58 tab
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6gSubdolQT.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
Files
memory/5076-0-0x00007FFD03473000-0x00007FFD03475000-memory.dmp
memory/5076-1-0x0000000000A00000-0x0000000002A9A000-memory.dmp
memory/5076-2-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
| MD5 | 97d68ae3931a39ff0e4cffee22a1b161 |
| SHA1 | a5a815ad153c0dc428e02f3f4e5bd8f23deb2c03 |
| SHA256 | c8a9ad538458d0afd1700a39ce21e7754eeefad5664350bb0c89a431637a8ba9 |
| SHA512 | 510ea25ac3fcf67d9d4cf225dc00fff7526248374431f1e9a0a000a648f02918bd6dec212d10d5a795599602faf8766348ab568bfc4174f57ccd12f74adae69c |
C:\Users\Admin\AppData\Local\Temp\Активация Nursultan.exe
| MD5 | af0bff984d9512363983d04f36f9e098 |
| SHA1 | e3866b21b4a526237cfcbc36dff7546f5646c7dc |
| SHA256 | 98e7f3de4d05a90b7cbf1df807f5dab640b852e84824a34fa31b3ac1e2e7856f |
| SHA512 | c785d396c546496382dff5c6f8cbcb4faaccfec94216729847f9ed89315053228f181c1b22fcad08ae62a557a11ea698b1c16658a2e0d090ada08af664c8fe41 |
C:\Users\Admin\AppData\Local\Temp\SolaraB Setup.exe
| MD5 | a1d8db2a1ff742bc73dd5617083f5fde |
| SHA1 | 957b182d82efb40a36099dd886ad581977880838 |
| SHA256 | d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a |
| SHA512 | 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | f0b33cc162bfd36a995b8c90cd8ebff1 |
| SHA1 | ca1ddef08d47fc15a44a2d651b61e3decce8ebc6 |
| SHA256 | 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0 |
| SHA512 | 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0 |
C:\Users\Admin\AppData\Local\Temp\Запусть.exe
| MD5 | 0df0a039309525fd27e1b5e056c92b6a |
| SHA1 | 7551c27a9123cb56c4218647966a753794ac2961 |
| SHA256 | a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f |
| SHA512 | 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6 |
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
| MD5 | 6850a8c541b310a2f4a5cd88352856a3 |
| SHA1 | 372ff19e90cec46e37797b343fe6f537116b4aae |
| SHA256 | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95 |
| SHA512 | 924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa |
memory/4288-54-0x0000019D98160000-0x0000019D981A0000-memory.dmp
memory/936-22-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
| MD5 | f5a185a89b70dd568848d970055c136e |
| SHA1 | 8e294e93b0444572193d29524fdff191a015f623 |
| SHA256 | 21557c9e0666684a4a9885051f5c946b46c7cc2e572d940968699fb05d92c875 |
| SHA512 | 79a848c6166cd965598533ea4be61e012928f563a6c5a713f4b1afac06f0ee394621221c62febc3e7e25c4f00e823f7b5223ea5fcf100a434c4cb8fc8182fbff |
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
| MD5 | 3137c089f2a3f95717b95f46d99cb5a3 |
| SHA1 | 7f4f5ce3e71817118df9fb0b2a017b450f95a183 |
| SHA256 | 9eb609e5485dbae1b30b965f6623334c2946cda8fa62b1c2850881bfdbd650d3 |
| SHA512 | faa149277176e864dd7243433797c1437d997c0cbafda4c8ba88510017dcecf37be92746c48501ecb978b33cad4c787dc088139c3715dde8e64247f8a9b2cfb7 |
C:\Users\Admin\AppData\Local\Temp\AntiRemoteDesktop_protected.exe
| MD5 | 7dccc58ea66b524ca92618f75bf13996 |
| SHA1 | 23552529daa8852d72c5c7b655b395abff358287 |
| SHA256 | b0690399ac4f18160dfe432c6c984e4fb37f8c28b13d0bf74043bd258d6043d3 |
| SHA512 | f90149543fe4a5909ce28f4a341c8bf5902ee50b464c20436c63b4c6fba07db1466c49446c55ca564fb18d4cff0835a3626700d48ab1a87237e748a577633fee |
memory/3300-93-0x0000000000F30000-0x0000000001230000-memory.dmp
memory/2228-104-0x0000000000980000-0x00000000009DC000-memory.dmp
memory/1608-105-0x00000000001F0000-0x00000000003D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Meatspin.exe
| MD5 | e7c0320cb474f7f0f34ad25c3e343226 |
| SHA1 | d9780cfbb2bd28f0596cff1dcc9ff10a303e78c1 |
| SHA256 | 3d733b07ec2bbf0c7c5c967d7cb5a6a1ec9a2da1b07d2f9afd95938c661ab0e6 |
| SHA512 | 5552332982d55fe9427b79b749555a8f8463f35a1706c92da16b2f277d07f17df35e4279463e15a5714502770b04086e6e4383f996917ed7ee2fe46eefae11a0 |
memory/2400-103-0x0000000000160000-0x00000000004CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Русский Гусь.exe
| MD5 | 71dca900fdc00f75e2b0f19b9bbbd7aa |
| SHA1 | cb9160cefe3c5192f65ca4311047f38592ca9668 |
| SHA256 | ace4359d6932b06de3b2562a360a812a29e4d1ad66071a891849671d8497676d |
| SHA512 | 8968f2dd43f7c8b554bf6e22515a605fedeacff79348821e34e995a7ea95a38545b3d841d2a7a15ff6c58047619230256d9e25d1f33105824d74f9a0dcca5ec4 |
memory/3208-110-0x0000000000BD0000-0x0000000000FE4000-memory.dmp
memory/1608-118-0x0000000004E80000-0x0000000004F1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.pdb
| MD5 | 5e0ccb3bd78be9cd539fef6e4005e47a |
| SHA1 | 9a28756dffdef59d36bf42cb9cc8e02e454026d2 |
| SHA256 | 4e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8 |
| SHA512 | 4c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372 |
C:\Users\Admin\AppData\Local\Temp\скример.exe
| MD5 | 3c3d1168fc2724c551837a505ea4374e |
| SHA1 | 86c913a12067fd2c1bbc31fb64a5b5d056175841 |
| SHA256 | f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09 |
| SHA512 | 0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e |
C:\Users\Admin\AppData\Local\Temp\headache.exe
| MD5 | be76d75db792b7e1c44205aeef5c39a2 |
| SHA1 | 2da0da5cc1dbf277e15d64bc18edf93fb2b161c3 |
| SHA256 | ccdab9996202e3f192c67c1d1d720a5f9b1de063193f5c52eaf97d669a8e6e32 |
| SHA512 | d9a1c8d96ab43818add9f51e0c4cc3a4dabcd00059eed3e477bfa2ac398399a21fe6a0714c783c6ac4ac843a383af3cc9912fe1d7df03853db6cfeab10ac0945 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe
| MD5 | c883e2c769ebe56240a71260b17f1b93 |
| SHA1 | 4a831d4f48f6ea81db508c2a87cf860acd17edb1 |
| SHA256 | 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff |
| SHA512 | dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376 |
memory/3668-276-0x00000000003E0000-0x0000000000B40000-memory.dmp
memory/3668-278-0x0000000005490000-0x0000000005522000-memory.dmp
memory/5076-279-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/3668-280-0x0000000005640000-0x000000000564A000-memory.dmp
memory/3576-264-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1608-261-0x0000000005610000-0x00000000056C6000-memory.dmp
memory/1608-241-0x0000000005B40000-0x00000000060E6000-memory.dmp
C:\ChainReviewcrt\YCVmOKLi2cE5f8VDee8IIrvR4EqTMXF6LxehtVVFhgDVO8nr3r.vbe
| MD5 | 461f605a6988ea7c1679762702e3f465 |
| SHA1 | 429ea0d48d5ad426ab14fd34346391429c45570a |
| SHA256 | 10f817c63b22ba6e2367b68dd8829bf5404201ee85922a8deb3933484512dad4 |
| SHA512 | 7bc3ce18780d8f46b1935f87f101b6d5a23d6d9aac001dd291a18b34c7955de282108df24621ff1b5de14e405c48236406a49cf6c0397b14b6f939c3878e389d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.dll
| MD5 | 6f6c8f80d6c36739147b38016bd4b469 |
| SHA1 | bf0f81a00ccc595242620b15ade2a0661424d9e3 |
| SHA256 | fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4 |
| SHA512 | 1b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6 |
memory/936-94-0x0000023DDE070000-0x0000023DDF156000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CHECK_CHEATS_PRIVATE.exe
| MD5 | 4b6c4ec849d97d4c075845052e0019a5 |
| SHA1 | d1f82d366fa4d3d0b70ea52c6f11a78d5c3d08e7 |
| SHA256 | 9540bb611792eddddbcd87c6136e195a509ae60a12a194ac6d9bfec7f626f0b1 |
| SHA512 | bd6a537d5b5474fa6371b90796148bd3651829e2ad79a94620ad5ac4aff0d41ac7ac4af555b34a137f81f483cd0eb82532342b5aa1707f3bcfd8bd4d945e4cb5 |
memory/2052-283-0x00000000000D0000-0x000000000010E000-memory.dmp
memory/936-284-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/2584-293-0x0000022477760000-0x0000022477782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ouni03j4.now.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2052-305-0x00000000050D0000-0x00000000050DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.ini
| MD5 | 0288c130074a043df404ac331b9842b3 |
| SHA1 | 196355e0ac857082a32e36c4938fe22794b8c55b |
| SHA256 | db74de308ed6c409c5460ba10ddb590ed1f5b5281a61e10934d004feba454ee9 |
| SHA512 | 52af081fbf93803ab11b4ebc219371662613a9ca05980a045c6af258ea631f2462d6f932959f9d98777e18644a608e884757c5886e00bbbdaa138b3f8afeb07c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseModdingAPI.dll
| MD5 | 9eb11041f2f11d939074e26b4b554088 |
| SHA1 | 50deec7591fcc5db40939543fc9bf92109f2df05 |
| SHA256 | efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79 |
| SHA512 | 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\Honk1.mp3
| MD5 | db2b7cf36003b2b653df6f3ca986e007 |
| SHA1 | d61a94c7b965dec3daa6351d849fa22f646edf8b |
| SHA256 | 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b |
| SHA512 | 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3 |
memory/2052-308-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-311-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-314-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-320-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-324-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-323-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-322-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-321-0x0000000006A20000-0x0000000006A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\Honk4.mp3
| MD5 | 9b24558524e7f3ec1dd7d123d10541fc |
| SHA1 | d373cc754817870f18d640c6fa04627c74e8f518 |
| SHA256 | 46aea3ca7321989695db5b15f7997802a6266512d6fe298a26dee9dd6a98ba87 |
| SHA512 | e6e0c4e77143e778599b4952c0e0741b8cd092d08179c4b4f1b63698562ec3bcf362888585e253cb53113d3c51b6225d8d4e43cd95b7122c7c2881828d392397 |
memory/2052-318-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-317-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-316-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/2052-315-0x0000000006A20000-0x0000000006A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\MudSquith.mp3
| MD5 | b2354d238829d09c54e272d8b4f60189 |
| SHA1 | 5a2731c04c50903d41f65d9fe5528a66cbefa289 |
| SHA256 | d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba |
| SHA512 | aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9 |
memory/2052-312-0x0000000006A20000-0x0000000006A30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5ba388a6597d5e09191c2c88d2fdf598 |
| SHA1 | 13516f8ec5a99298f6952438055c39330feae5d8 |
| SHA256 | e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca |
| SHA512 | ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19 |
memory/2052-310-0x0000000006A20000-0x0000000006A30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6903d57eed54e89b68ebb957928d1b99 |
| SHA1 | fade011fbf2e4bc044d41e380cf70bd6a9f73212 |
| SHA256 | 36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52 |
| SHA512 | c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e |
memory/2052-309-0x0000000006A20000-0x0000000006A30000-memory.dmp
memory/1340-358-0x0000000004D20000-0x0000000004D56000-memory.dmp
memory/1340-360-0x00000000054A0000-0x0000000005ACA000-memory.dmp
memory/1340-363-0x0000000005CB0000-0x0000000005D16000-memory.dmp
memory/1340-362-0x0000000005C40000-0x0000000005CA6000-memory.dmp
memory/1340-372-0x0000000005D20000-0x0000000006077000-memory.dmp
memory/1340-361-0x0000000005340000-0x0000000005362000-memory.dmp
memory/1340-381-0x00000000061D0000-0x00000000061EE000-memory.dmp
memory/1340-382-0x0000000006740000-0x000000000678C000-memory.dmp
memory/1340-383-0x00000000073D0000-0x0000000007404000-memory.dmp
memory/1340-384-0x000000006D1D0000-0x000000006D21C000-memory.dmp
memory/1340-393-0x00000000067B0000-0x00000000067CE000-memory.dmp
memory/1340-394-0x0000000007410000-0x00000000074B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\check.exe
| MD5 | 1df0f6462d06b13054171fda4b2a442b |
| SHA1 | 2278f9bac4aa58544c6fd398b438b6999d8f672b |
| SHA256 | 17f8f2f0dc25497fe6594b719a5777f14c07477530c7b133e0fbdc6620e85d56 |
| SHA512 | 885f187e87c213fd24468287a3d4ed974fe54d4ffc2485ec0ede8dc88bfe8ba643d0a84c0525e89cb03a478f2635b76cdfcb0da78c6f59b13f8bd40166a388a4 |
memory/1340-407-0x0000000007520000-0x000000000753A000-memory.dmp
C:\ChainReviewcrt\GvwJ8NcbCdMxeCxLRM27L6ajB5P7LjMMpRKH.bat
| MD5 | 0bd85aa4a09ae6b044217f37ff423642 |
| SHA1 | 1598c2fbddf1a552297f6bd68d908b2ca70ba8e1 |
| SHA256 | 70e188a2e87190049a7a4ccd4ddc059431ffcbc202d06762ebb6c5de3ea7f257 |
| SHA512 | 12dc3be3e46c1ecaa13736ccd4a7590f554f899a5d7c4e3de8b74de8be41c8316db544ee2bae779c8cf11747d7d7279b780ce55cdc6c7890fdfd7ce219d44201 |
memory/1340-408-0x0000000007590000-0x000000000759A000-memory.dmp
memory/1340-405-0x0000000007B60000-0x00000000081DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5d89585ef4d4520625ec6caff1996c2 |
| SHA1 | cade7165562815bbefe00d74a0efa6fc13df926a |
| SHA256 | 00322c1574ce466dd96381bad7b988c35bf8de551a0de45c867c664588415a30 |
| SHA512 | f207c941fef14471d0d21bcb5f26b7c5ba73c73d1be00b4b36c46dac81fa57ce837963fccf3ec39961e46666cbcc0c0000bed56deee5467e3ff4dc955f04a467 |
memory/1956-425-0x00000000001D0000-0x00000000003AA000-memory.dmp
memory/1340-427-0x00000000077C0000-0x0000000007856000-memory.dmp
memory/1340-428-0x0000000007730000-0x0000000007741000-memory.dmp
C:\ChainReviewcrt\Blockbrowserinto.exe
| MD5 | 44af609614d408633bb7ef5f561776c8 |
| SHA1 | 93c9ce7211132715569472b9162e1afbc56a5cb9 |
| SHA256 | 499db06f2972e7f7a4861ef3b6f9cc7e9d850383e315df00a6c9ad682908759f |
| SHA512 | 5b24e3e7510370b255839f7a6e57f7cc05a3702a327eb0bab63ee466197d9c1d9dc9d8a91508defb6342ee0e5d13119623b3dee6d78c01da3ee9f5e343f9be20 |
memory/1340-445-0x0000000007760000-0x000000000776E000-memory.dmp
memory/1956-447-0x0000000000C40000-0x0000000000C4E000-memory.dmp
memory/1340-448-0x0000000007770000-0x0000000007785000-memory.dmp
memory/1340-455-0x0000000007880000-0x000000000789A000-memory.dmp
memory/1956-458-0x0000000000CD0000-0x0000000000CE8000-memory.dmp
memory/1956-456-0x0000000002600000-0x0000000002650000-memory.dmp
memory/1956-454-0x0000000000CB0000-0x0000000000CCC000-memory.dmp
memory/1956-468-0x0000000000C20000-0x0000000000C2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js
| MD5 | a50f4b9a21df1c2fa4634dd0533d2b9e |
| SHA1 | 1cd1d88cab94848088929580e1567241891b6347 |
| SHA256 | bffd1c108ae35eb48d72e4fe993fee20a725b7f96a4cebb24ca0ffe99a9eb1e5 |
| SHA512 | 141994f37d0d4b85d491fed85b69333509b20f590b32db4b6e71f26fa81184f4b70f921eab4f29e25059148c9ca2ea615ffd2389fa10b0d6dc27341904dab72e |
memory/1340-492-0x0000000007860000-0x0000000007868000-memory.dmp
memory/3208-498-0x000000001BE80000-0x000000001BE8B000-memory.dmp
memory/3208-497-0x000000001C1A0000-0x000000001C1BE000-memory.dmp
memory/3208-496-0x000000001BE70000-0x000000001BE7D000-memory.dmp
memory/3208-495-0x000000001BC30000-0x000000001BC39000-memory.dmp
memory/3208-494-0x000000001CA90000-0x000000001CAD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6gSubdolQT.bat
| MD5 | 4298dc27c7c7eae3cc482d50c0441af0 |
| SHA1 | 600636539cd6d986dd7895e4ef2fd3187faf9dda |
| SHA256 | 78b0f6d1414aace9b2b15bc755b9fedc1ac2b74b0f9b0cb0c26181827839e094 |
| SHA512 | e55360e2a4af760f43ddfb1d7093fad13536554962a6ffbe4a85a7f61c862247505216d3be5e14eefd82a931ae34f9e8f2c62dc24401025b03961f38b8ff0549 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js
| MD5 | e0d01b058a926ab59c3aa58a407668d8 |
| SHA1 | 1776d40634d6f7e4f95d5c02d3b09057942b2ff9 |
| SHA256 | f32661a2086999f55b83a95df5ae24e8e76a2b6da26207d0eac20a16e698e2d8 |
| SHA512 | 6df4739a3e04406681cf5486626c26f2d16a3545138a129c2b659d5dacf34e91ce1d3ece3e8eb4c8a5e55157359cb4704db887467aab92b433bde210343c915a |