Malware Analysis Report

2024-11-16 13:37

Sample ID 240530-pjnllagg4z
Target Nursultan client.exe
SHA256 234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff

Threat Level: Known bad

The file Nursultan client.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm family

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:21

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:21

Reported

2024-05-30 12:26

Platform

win10v2004-20240508-en

Max time kernel

172s

Max time network

273s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615454195715151" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Runtime Broker.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\schtasks.exe
PID 2208 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe C:\Windows\System32\schtasks.exe
PID 3004 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 4776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 2832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 2832 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3004 wrote to memory of 536 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan client.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffd4b5dab58,0x7ffd4b5dab68,0x7ffd4b5dab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4152 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2440 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD2B7.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 brands-omissions.gl.at.ply.gg udp
US 147.185.221.20:3488 brands-omissions.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:3488 brands-omissions.gl.at.ply.gg tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.20:3488 brands-omissions.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.200.35:443 id.google.com tcp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.180.14:443 encrypted-tbn2.gstatic.com tcp
GB 142.250.180.14:443 encrypted-tbn2.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com udp
GB 142.250.180.14:443 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.porno.com udp
NL 141.0.173.133:443 www.porno.com tcp
US 8.8.8.8:53 133.173.0.141.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 ei.phncdn.com udp
GB 64.210.156.23:443 ei.phncdn.com tcp
US 8.8.8.8:53 23.156.210.64.in-addr.arpa udp

Files

memory/2208-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/2208-1-0x00000000002B0000-0x00000000002C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avgwcoex.f3t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4652-11-0x0000023930270000-0x0000023930292000-memory.dmp

memory/4652-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4652-13-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4652-14-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4652-15-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4652-18-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b72469ca0585278ca9c240a42085ad7
SHA1 dd0371aab5740e6d5f44d75f02f5f2d0a16089b2
SHA256 9e9693e3e021a1a0aeac855d0c2fd330568225282ed4e2d8ea1d876457efa0db
SHA512 77929ab5f47ec18e78e9e57f0cb9a41dd02e8974b59f692175fefdd69a6e84c6c289a8e4cb563fb064857f2c3cf6ce330e8efa7dcb352691fdbd662c90c3b577

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd1d0b083fedf44b482a028fb70b96e8
SHA1 dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256 cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA512 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

memory/2208-57-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

MD5 fe07501d3d052f3240fa2d9da7c2c82e
SHA1 5de5b5464823f238a307f275e5b3f76538ed3405
SHA256 234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff
SHA512 d4002ae6fc0fd8bb9476b2689657797f18cc350062da3c66f56d6049cad5dd34949e2d03e6ba180b2dc131792f310f0ac3ab77b8cae479a1f5106a002457d129

memory/2208-61-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/2208-62-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 583c5525813d9d9f74b76ed066fa1d61
SHA1 f65c48fa13aa2400666c4f6dda7f1592438302e2
SHA256 d452e9cbb5d2716f4bfdee3a071ffb9b7ffabb20237b856437497e05ef962598
SHA512 7e8a0e9e4492696b8f0e76d1c9104f24045842bc1b76bf0356bfc9491ebc7138d22c8dc97bdb09ea42f010c4ee62b6589d7ca75be2bef74217aae02061c1aacb

\??\pipe\crashpad_3004_AFFVXLIKOXMQZBXB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 af5a0aa28acfceacc42589429c09f04b
SHA1 52cc349934dc92444798f553ea5aa1b185319bd9
SHA256 b57a1a96c5a7aaf34bfb61b541b2eee609c3df1ef318aa16c490023fc4cd0101
SHA512 ae6875cd731a639e1db96ef56d5478d4cb2c1f84161dc5b36ca22f86563cd2b1414945432468834c408bd98bd02464b76778fc9bc8fb1cd1af0cfdf1169e0229

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2179b4455d8690a31d9a3d1c2cae92e0
SHA1 0537be8009573b0875183d96283a62da32022829
SHA256 7134d48811891691aedda853f7ec2e43703ec41799d3df5ef4e4d0a076314ec4
SHA512 3f447dc03320145745490190e7af48d04c31790095a6bcaf71bf3d59609bacbb460804ab1479715decfb64470e7da808e9f3f5b2c78373b0ec38948b59c7d8de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f25d23383e8abcf3380529a73725efa9
SHA1 a8af71b5fadfc3c372c025b11b944a5e2e625ae3
SHA256 bdf134242d5c99b2fca284bb945eab3e79759206a2e815cc59887edd90353c80
SHA512 05bd47ffe9a49b2c6cb2ddd428fe26dc6e24f447be8eab50eb9e1c9217f6204da79867aaefd620ba74ff8f5ad3e20d686d80107c625e43da80f63b055937419e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d3735f4ca81b46a66bbc88a56854949c
SHA1 ecb1255028815ccae482eea562a7f136013c9553
SHA256 aa2c6d785a60ad23da8ac9e23ae4862859ff1583ee97d43cde7328825cfe3e65
SHA512 65502d2675a223e3278e5d20a7faeecaad47cd4e090196624423a06097ca3cfa1cab1c8bd31dcc8e44348813575a3d97f4f422d58d02e3e623985429e288b5c8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4e2882c2075639b2ed6814503754606d
SHA1 0a44179359bbc8890a892ff6e9f701d3082b5d66
SHA256 70b4ae9025ff150ff7503ef8345b20abf97c2a7c2fcacec101ac44a61232dfc0
SHA512 015de2ee70733fd8c3c3767d53e3acf49badda262783da2e89760a038069323c5e3df6322def0b6e2a6976c0e97be8b3de5d5fa16e4f52828ad31efb5ea219c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2baacff9c1e483ce541601cf28d4ca4a
SHA1 57d1de8e259066c76f11d619de22d52a135bd742
SHA256 44c4b6788438264c0bca8994fa0a058eb03ed0d6fb9ddcbe0281838784ede037
SHA512 37fcb003aa581c82204d5cb59ec89772b36b91ca6bbe83d72fba2c36ebde4a425481bbd31c2c8f4551013ce053eb15cd85f2105ce5954ea9a75ac701fec83562

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5980de.TMP

MD5 93708ebdb4f047e921a2d2c0cac25f09
SHA1 ca3c73dc54cb5caa70a4eb52abd68d31d2f56320
SHA256 de055871c93692dbfb5ab83854148eb0594711e6550d03d63144e49b38002ec8
SHA512 5d25174a2331f6916b8d19d999d14a516bd499d35b14bb6f34aba062cad1026d4fa04325ae126c7d0c95e8594a57f1862934ddac70c8e92262882458d26b39e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 44dbf3a7f855833cdd60bea73ca33e94
SHA1 9b4cc050716ba0933cf5fbc82b0d72f18ac71067
SHA256 9591018f5272f79a21b6d8d0cc8738e8b5bebbc6173ea02ecabc979cb33219ff
SHA512 e21360e75bb8388efafe17baf65e8255cdd05b5d422f8e8f63c83352c3a0745ab38992465099227287bcf7add7de0eeaaab145307f2f572fcb15194f7e08faaf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 cbb19afbf6bbf054175b1fc621bb5789
SHA1 37388b39e22d42fa9419d79cd910f0edcc310ffd
SHA256 d39517e01eddb226f6be41a2be1bba432b78762154e784264c00a636caa912b4
SHA512 1c5ced4d2fce942d59a73c3032999e26ca1365892512118158269624894862389d34e016612de51d91b8880964ef4539df682ec9455f40d7c6481e42122f1fbe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d09835d4d66add17832fe8fc1277a005
SHA1 31bba0582024c260ccd2b65b79ec53413f813277
SHA256 63b942b7c0da87f0761e1cd716394586a12e23140c0c53a7a7a212177837f228
SHA512 de170a2594e751a52b13e63b0e4a466af3a61a0e24509c13b8ae303816a1af351dc8d4d56f87a07bfd2c0d3d556cff220c103e324329674bd8c8d2dcd59916fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 40b616af43491d68a083c91f121a33e3
SHA1 d9f4e84c744b8fbc0889926264e9559ead79accc
SHA256 e9682bdc629a665e774668e5c0062fbef5c777c53006fa3485df7c6ac1ea98eb
SHA512 8ceec5ce9025901856642940f520645c6111dfd00dfcbcb150929915eae2a425f65ae3aa9751290ad267b47ca1ee80f6e128a22e4fa8be56d62457ef58e3f680

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1b940a0efe6dae503facc2caa7298ee7
SHA1 f9337e09ba32c5f57ff013a7d223076d9ca6b8d4
SHA256 627b01a98e7f2cdf440f0738131482cd7c2f4aabd6e0d42570d914103b668f03
SHA512 e4052a21abc499f124fa5dfcfa31456fa0713351944e29948721760e9e626979319849d8ceb97d460c899f81d5933912a33e91f34fb178db0155e10434595a95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 03cb5ba84e849e1dc4e3c7b90b0c2696
SHA1 087ce3ceea2eac4e21451bf5ddbb2496d20bcecd
SHA256 db6ef7fcc0b68ab9bacec88da4a581c5a34491fb8df6edeae1c2163fcdfb68fe
SHA512 a8743088c1c6bf144cd8bc798c2d0cc31f5ab034928744e20ec95ccebf9dd30d0a29a2743400589ed47191b4c9bdf598163cf8b1a7a52b9b37922b185136243c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f08fc6b93a999076ea8bf83028e84d1b
SHA1 a568f191d2382cf31308004618e42715575d6346
SHA256 d6aa72fafb258b5911ab21ff296d0d7bfc95d76d1243b9a6c3193b9676e64eee
SHA512 cf2ae01966a4160ab48363baac5cbae3cec3f765e7e1072990e8ea14e1cae62c1baaa39d798f88368fa1e1d9a9b94858bfec061dc5c9e5192b104076d5d4ffca

memory/2208-419-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD2B7.tmp.bat

MD5 595524ce09d8b66ac31139fda7fdd631
SHA1 80c5a6f38a24a7c1178021a0db2f65466a0758da
SHA256 be2ecc6ac955e454f0af20970adbc59d279435d0171a7dc50cb36c77ef6c4cb1
SHA512 5c1f0a2a9fd76fe849033ac054bb8bebf0b37f41e53255e21d4668d335f3e48100e4bd302ce2a393546f19c1510f90a53d8b676960df327af64ab34784dd92bc