Analysis Overview
SHA256
31800ebdfe2ec7b3847c064281aeaec2586cd8e76d88e662364dcee4c5ee45b3
Threat Level: Known bad
The file XWorm.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 10:00
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 10:00
Reported
2024-05-27 10:03
Platform
win7-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {37FFB73E-C9AF-410F-BA79-8081C8AC3DCB} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:10438 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:10438 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/2224-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp
memory/2224-1-0x0000000000380000-0x00000000003C4000-memory.dmp
memory/2224-2-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp
memory/2648-7-0x000000001B550000-0x000000001B832000-memory.dmp
memory/2648-8-0x0000000002340000-0x0000000002348000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5d1054d95bbeaa01093d66e76351029a |
| SHA1 | 6fdcba7062222a0a4468842b624d4ff681ade83d |
| SHA256 | d019f5de1b11be9b68be73d8496cfd8ff4b57d1ea369fb5f75a96cb2d3170d5e |
| SHA512 | 14a34c1649cb277e3b7d524f7672f3da7aff17b93dcccc5efe021c81909473f7b05e41e09555a9081655a91389c188b9bb6e79bba7bfba597bfeb6adc9956f7d |
memory/2704-14-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2704-15-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2224-30-0x000007FEF6093000-0x000007FEF6094000-memory.dmp
memory/2224-31-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp
C:\Users\Admin\AppData\Roaming\svhost.exe
| MD5 | b1534015cbe713e13efc7d016219ad61 |
| SHA1 | 132526e2727cc3ada220c2ece52d5f6e59cc7ca6 |
| SHA256 | 31800ebdfe2ec7b3847c064281aeaec2586cd8e76d88e662364dcee4c5ee45b3 |
| SHA512 | 6422eba622c571fd12de0f3b0cb54b8ba3d3adf804302023b53b9363adb13518f9aa9b4828dd1435d994390a6b7a1f8123dc06d2a44f22a2e12b79e579da00d0 |
memory/2740-35-0x0000000000AF0000-0x0000000000B34000-memory.dmp
memory/1776-38-0x0000000001070000-0x00000000010B4000-memory.dmp
memory/2224-39-0x000000001A7A0000-0x000000001A7AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 10:00
Reported
2024-05-27 10:03
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-701.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x32-701.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612776747547706" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kmtojt.7z"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff767dab58,0x7fff767dab68,0x7fff767dab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4504 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4984 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5104 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3624 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4892 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3172 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5140 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5476 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5528 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e2e8784f8f97436a9c22cc33f59f0ef5 /t 4044 /p 4968
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1648 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3164 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=1892,i,2974581931111616172,14012273983571365163,131072 /prefetch:8
C:\Users\Admin\Downloads\winrar-x32-701.exe
"C:\Users\Admin\Downloads\winrar-x32-701.exe"
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\729dc85997eb47ad8a563a31ae9724b6 /t 1912 /p 2516
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:10438 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.142.124.3.in-addr.arpa | udp |
| DE | 3.124.142.205:10438 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 202.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.178.250.142.in-addr.arpa | udp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 174.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| FR | 216.58.213.78:443 | clients2.google.com | udp |
| FR | 216.58.213.78:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 78.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| FR | 142.250.179.74:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | 162.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zxx.groovesell.com | udp |
| US | 104.17.142.116:443 | zxx.groovesell.com | tcp |
| US | 104.17.142.116:443 | zxx.groovesell.com | tcp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | core.spreedly.com | udp |
| US | 8.8.8.8:53 | js.mollie.com | udp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 8.8.8.8:53 | staxjs.staxpayments.com | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | js.authorize.net | udp |
| US | 8.8.8.8:53 | js.braintreegateway.com | udp |
| US | 8.8.8.8:53 | kit.fontawesome.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.2.182:443 | core.spreedly.com | tcp |
| US | 34.111.145.109:443 | js.mollie.com | tcp |
| US | 151.101.2.133:443 | js.braintreegateway.com | tcp |
| US | 151.101.2.133:443 | js.braintreegateway.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 104.18.16.199:443 | staxjs.staxpayments.com | tcp |
| US | 104.18.12.54:443 | js.authorize.net | tcp |
| FR | 18.244.28.123:443 | js.stripe.com | tcp |
| FR | 18.244.28.123:443 | js.stripe.com | tcp |
| US | 104.18.40.68:443 | kit.fontawesome.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| FR | 18.244.28.123:443 | js.stripe.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | ka-f.fontawesome.com | udp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | tcp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | tcp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | tcp |
| US | 8.8.8.8:53 | 116.142.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.145.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.16.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.12.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| US | 151.101.0.176:443 | m.stripe.network | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | v1.gdapis.com | udp |
| US | 172.67.200.87:443 | v1.gdapis.com | tcp |
| US | 8.8.8.8:53 | 119.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.200.67.172.in-addr.arpa | udp |
| US | 172.67.200.87:443 | v1.gdapis.com | udp |
| US | 8.8.8.8:53 | grooveapps.com | udp |
| US | 104.18.21.180:443 | grooveapps.com | tcp |
| US | 8.8.8.8:53 | app.groovefunnels.com | udp |
| US | 172.67.152.145:443 | app.groovefunnels.com | tcp |
| US | 8.8.8.8:53 | assets.grooveapps.com | udp |
| US | 172.67.139.119:443 | ka-f.fontawesome.com | udp |
| US | 8.8.8.8:53 | app.groove.cm | udp |
| US | 172.67.139.13:443 | app.groove.cm | tcp |
| FR | 142.250.179.74:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | m.stripe.com | udp |
| US | 54.218.138.227:443 | m.stripe.com | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 172.67.152.145:443 | app.groovefunnels.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.139.67.172.in-addr.arpa | udp |
| US | 172.67.139.13:443 | app.groove.cm | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | 227.138.218.54.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 35.215.58.216.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
Files
memory/4292-0-0x00007FFF7CB13000-0x00007FFF7CB15000-memory.dmp
memory/4292-1-0x0000000000A60000-0x0000000000AA4000-memory.dmp
memory/4292-2-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
memory/4516-3-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1wusvxz.yfs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4516-14-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
memory/4516-13-0x000002B5FEDE0000-0x000002B5FEE02000-memory.dmp
memory/4516-15-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
memory/4516-18-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 531f08ac3a06c5a3a09412a10fd95626 |
| SHA1 | ad756b5c27e710d81ece8a6d4fe865230cdc2bbf |
| SHA256 | 793902b936877a86b5d46d629a1c6d8c68ac8d42981788ddd4ede0f3381af6b0 |
| SHA512 | ac8c608fae29fa780400ac84e79b86c4a34ee7068f4f2c8056e4a2209a3ba62ae7716eaea2924e8412eab38ad003d59d4538d675019e50f15b3571e14c52fa73 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3b444d3f0ddea49d84cc7b3972abe0e6 |
| SHA1 | 0a896b3808e68d5d72c2655621f43b0b2c65ae02 |
| SHA256 | ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74 |
| SHA512 | eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b |
memory/4292-57-0x000000001CD40000-0x000000001CD4C000-memory.dmp
memory/4292-58-0x00007FFF7CB13000-0x00007FFF7CB15000-memory.dmp
memory/4292-59-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\svhost.exe
| MD5 | b1534015cbe713e13efc7d016219ad61 |
| SHA1 | 132526e2727cc3ada220c2ece52d5f6e59cc7ca6 |
| SHA256 | 31800ebdfe2ec7b3847c064281aeaec2586cd8e76d88e662364dcee4c5ee45b3 |
| SHA512 | 6422eba622c571fd12de0f3b0cb54b8ba3d3adf804302023b53b9363adb13518f9aa9b4828dd1435d994390a6b7a1f8123dc06d2a44f22a2e12b79e579da00d0 |
C:\Users\Admin\AppData\Local\Temp\kmtojt.7z
| MD5 | fedb45ddbd72fc70a81c789763038d81 |
| SHA1 | f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a |
| SHA256 | eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2 |
| SHA512 | 813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298 |
\??\pipe\crashpad_5068_GWSPTVFAHACHPLAU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b39c4a3a07c2a5645f05887725e3decb |
| SHA1 | 248cca7735b9b516e5687b887f223292609766d8 |
| SHA256 | d1d13caab2681504639c8e155ee790404506899b749b6a9021f63a0abee07884 |
| SHA512 | a9b3798cc8926688285df4a8a5dce8ca6f8873713dab71fcf46b1dfdfa447a8dfed1131ffcab78b1795110ce5edc0a4a997344786952df9471c24840b8950a99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ac70cbba04c9f793888ab652a1dece4d |
| SHA1 | a45b034eba9d0a59fe60b3550ecfc419b05e754e |
| SHA256 | 3316de83cf060b12c8da8e47b48663acff128b138d16981ef764d8b2477f09b5 |
| SHA512 | a421f8de4226042c16c3dc7b3f5ee11f363d33f6ac5956b0a9a34f032eb1e82d5f68b66722bb6039f11b2d2d2b3a4342e37edf1f790b658bc8d5c4f6e56b7286 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1099294534256141de00ca2799e21a67 |
| SHA1 | 74261093f98ed0b5142b4948fd205f8fbeed7bce |
| SHA256 | 3cd6dd7aab3b839207e7368ae11520774bd15625a484cb9c7c70e9b51fe3a987 |
| SHA512 | 1693e5007493e7f8690cf5c92a39edf20fa7b69bbd87a65a8b94c641110bdc2d4674dff41ab38b9815cb41cbea361c6c1df07827e3c64b0d48007daa0bf4702c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 1acd0dca48f07e86dc4d623d51a8ae1b |
| SHA1 | 31a73d366a182a34e3c6e99027b24c4cce5c97e9 |
| SHA256 | eee92ad459c8f4d58a6b0bb7a87b5bf60352e1f7322b4eddb7943afe23b92dd6 |
| SHA512 | 463dc3cb9a48e6f2959c0ccdaa11608981a000c0e0e73b30b3ef07a62d4ad3ac6d0f974ebcda9813606bfb46474cb5c72cc7cd5ed1aed8d505e3b1aae996c1aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | aa2de543a1258abcd95133aa6d683b0b |
| SHA1 | 4a7a110d4bb48273790d8bdbda9958a78d2ad697 |
| SHA256 | 0713ca1542affed8575002d38f5fdfa6b1bcea7991acfc36d19a07abc36cf901 |
| SHA512 | e3ca85c0342ec5deadbe63386fbf24d4cafcceed919bbe5a5dbbbba6e1947560eb81fdee71a79d2334f4f9a882a74a1a18c162e2f15ab84b646c9b3216fb3b57 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a15394e215fe7f3e8e0d729929c00372 |
| SHA1 | 9ae7445f063170f7e81ea2f2c5444196757a8794 |
| SHA256 | 8c2e3bb748f5294d7d3bb02035f25464dbd1393b589c6b42dbd24e48aad61840 |
| SHA512 | b0edf35343bde892c5580bbc692658c76d839f6404a248f461dcd07223ea67b5b28f62ac9f507b981fc207deb799d59728460c1de843526547d07ce9d1f2bd76 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f51a812bbe0aee907d8d7fd981858759 |
| SHA1 | 3c1f8d05f3b50eb266791baf1c77bab1fd34cb68 |
| SHA256 | ce1015c86befe223e44358ef49303c0613c13888a948f9a9aee28adda2268ec2 |
| SHA512 | de6ef9db0598933e4cd9fe005ac15ffe935fc84b3d5b91198bcac3f364375eac5e2606c2dfa67a972d26578c78c9394bf176060af8cb48eb8bbba70ac696cfad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 84c623258b40c82e9f89888a0e3e936e |
| SHA1 | 0dc6dfd730bad25817cfa12efac3928984c4f572 |
| SHA256 | 8340dbb4afd19943a2084cc4eafe846964a5f18614ed04b5270909c2463ddf8f |
| SHA512 | ce34ffb83fe09b413c0d465a8ec9a765400353d62793dac61f8d4ee566dd692b774016def1e59449c759d7ced0ceb42f50e1d36bfbe58dc9fee074a965ffafe4 |
C:\Users\Admin\Downloads\winrar-x64-701.exe
| MD5 | 46c17c999744470b689331f41eab7df1 |
| SHA1 | b8a63127df6a87d333061c622220d6d70ed80f7c |
| SHA256 | c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a |
| SHA512 | 4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8bad2c6e98364d28c9e01a3adad66d9b |
| SHA1 | 26ded102bd1c3c2b3464805ae9876ea9c46fdba1 |
| SHA256 | 53afb7795d495dea7ea19e661f29459ec6b267f4b6fcf6f6ab9a551c810557c5 |
| SHA512 | c781a29984b740f457bca67a126cae3842d7d08449cac16b3e302e047e34add4d0320c5c956bfcbbfad209d5f71ce24deae07b002a14efa6cd7a05c2abf4470c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 7cda768926d4d6b70a46e238a5a9ee31 |
| SHA1 | 0539f45adde8996d68b3beff53dd9c6acd98801e |
| SHA256 | fd3e294f476e8cd4852939e67dbd9903ffc2bf0f73272060c92b7c240729d28e |
| SHA512 | e32a26310bf286ab63c6365c0b0136fb0303a0f2cf401ef212b54dc3e556be30fa6c7fd8a8b0159ac186cdccd4db5d33f3eb02708cc4e6055a0dffc3cb83eabe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589601.TMP
| MD5 | 42fac3e375f4f5f0f764b9ce79c94c2b |
| SHA1 | 528da26e6a877bd447baeaab3091ce4858a87330 |
| SHA256 | b31a95b763b7dae44a4167fa1ad5528735bedcef4f917cdcc2feea8b7e3cf5cc |
| SHA512 | c25d8f1c0be28c032910c81b9ccb6de5e2990408c3c0ad19f1080d2bcfcf9c293ed0dbf475ac4435276e6d0bfd7e893856e728f97980c0568919c336a48f102f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2c29c13890a6abe1acfa3e9bb5bd6448 |
| SHA1 | d940a3eeed0831547810ac19c9d807b972aef1a9 |
| SHA256 | af6bb1703e410a6acfc07fa54d329b52934916d7533748ae49293c31f341a906 |
| SHA512 | a9e329739506957220c4cc2f36b1dae13ddb6f6d8278d20978732580deb7b167f9b67fd529daf9619218d9beef528fa67dc40c9c9d21addc40fdbb5007a5958a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3a0aec0831832e23618f535f26a01eb9 |
| SHA1 | 64fd3197997a75e18e07260fcc7c9776e272e11c |
| SHA256 | 526ef05abbe746c44bb51164d74a4af771322d809faa1cdebe1ed974fd187e19 |
| SHA512 | 8ffda239f158aaea31eecc5a009e8e57f6d7a89147de3e04dd986c835c1d4a39ec366afb5509cce2418a389057dd9b9a6ae87abaeb60049627ae9d919419de79 |
C:\Users\Admin\Downloads\winrar-x32-701.exe
| MD5 | 3e5f57ebff875d2e675f122348418057 |
| SHA1 | 260a934824203fbdbe199591038c28ee55ba8de3 |
| SHA256 | a911bbfab70c7545307b9dbcb06273d899ca03aad928f0b66d55b41c25cb4f14 |
| SHA512 | 7b75eaaaca495cd0023c8ebad028b3cd0a72024820cdc4fd37e3fbe15cf66a344b5f34e9a049fd430fbde1567585603d9e98f7058073dc2b67a8aab3717bb9e4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0c191b96f9bc03f714deafbec0f08b84 |
| SHA1 | 04902d770537883cc3f099b2a3af21b38d536b00 |
| SHA256 | 40ff0b72e212b1f6547337d102442a249b40724793fad215a8ee51d1081cf2ba |
| SHA512 | d2cb383ea05b353c56831c949f1e2783cb15491277ea92a303e6e8ed88a8be916956b45e8b16e5f59df8f09e453778f32f70fba2b4d60ee2371427d00297e2f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f5b4bebbe756d896c88ba64c2dd80964 |
| SHA1 | d7017505616b35bee54de7107971173e50f5a0d7 |
| SHA256 | 832ac13a7412e3774f6a55517f05c75722dd4c40c3f7ecd9762cd453f9da0681 |
| SHA512 | 70ec9e83b65634a2da1ea4ef87ee048064f25e886c46441ad4bab99201d7eb8718fa3e4c3e41943dba8887542ad7f003ec30fcd10d561e57d81f9bd6f1bb5226 |