For this given artifact, I found the malicious downloaded program. As usual, I used FTK-Imager to analyze it, and retrieve the hash too.
But in this case, the hex view is full of zeros, which indicate that it might has been tampered with or deleted prior to the disk capture, rendering direct hashing ineffective. Due to the unavailability, an alternative can be used in this situation is Amcache.
About
Amcache:
AmCache(Application Activity Cache) is a forensic artifact in Windows operating systems, first introduced with Windows 7 but fully implemented in Windows 8 and higher, as we see below.AmCachetracks metadata about executables and other files that have been run on (or interacted with) the system.AmCacheserves as part of Windows’ Application Compatibility Framework (AppCompat), which helps ensure programs run smoothly on the system by recording information about program execution.1
Located at C:\Windows\AppCompat\Programs\Amcache.hve. To extract information, I will utilize AmcacheParser. Here is an example usage:
PS C:\Users\Huy\Desktop\Tools\EZtools > .\AmcacheParser.exe -f "..\..\temp_extract_dir\Amcache.hve" --csv ..\..\temp_extract_dir\
AmcacheParser version 1.5.2.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AmcacheParser
Command line: -f ..\..\temp_extract_dir\Amcache.hve --csv ..\..\temp_extract_dir\
Warning: Administrator privileges not found!
C:\Users\Huy\Desktop\temp_extract_dir\Amcache.hve is in new format!
Total file entries found: 36
Total device containers found: 4
Total device PnPs found: 83
Found 36 unassociated file entry
Results saved to: ..\..\temp_extract_dir\
Total parsing time: 0.317 secondsThe SHA1 hash can be found in <timestamp>_Amcache_UnassociatedFileEntries.csv, using this as unique identifier to analyze the program.