Malware Analysis Report

2024-11-16 13:40

Sample ID 240531-qffx1sad73
Target App.exe
SHA256 cdbea5c86b512c61b703948392cd3f2c94c58758d85ad40a63ff38705352b69b
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdbea5c86b512c61b703948392cd3f2c94c58758d85ad40a63ff38705352b69b

Threat Level: Known bad

The file App.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 13:11

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 13:11

Reported

2024-05-31 13:15

Platform

win7-20240508-en

Max time kernel

112s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\App.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\App.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\ = "32" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BCC36471-1F4F-11EF-B3A2-4205ACB4EED4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\Total = "32" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\App.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 3012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 3012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 3012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1144 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\App.exe

"C:\Users\Admin\AppData\Local\Temp\App.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\App.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'App.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefca9758,0x7feefca9768,0x7feefca9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2080 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2088 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1112,i,15276698815579651286,4898319268839884136,131072 /prefetch:8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://exmple.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefca9758,0x7feefca9768,0x7feefca9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1132 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1248 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3972 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2268 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x564

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1372,i,9130167772457361194,174710936222427375,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
N/A 224.0.0.251:5353 udp
DE 3.67.15.169:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 exmple.com udp
US 8.8.8.8:53 exmple.com udp
US 67.210.233.131:80 exmple.com tcp
US 67.210.233.131:80 exmple.com tcp
US 8.8.8.8:53 www.statcounter.com udp
US 104.20.94.138:80 www.statcounter.com tcp
US 104.20.94.138:80 www.statcounter.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 cdn.prod.website-files.com udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 global.localizecdn.com udp
GB 216.58.204.74:443 ajax.googleapis.com tcp
GB 216.58.204.74:443 ajax.googleapis.com tcp
US 172.64.153.29:443 cdn.prod.website-files.com tcp
US 104.18.4.175:443 global.localizecdn.com tcp
US 8.8.8.8:53 apps.identrust.com udp
IE 2.18.24.16:80 apps.identrust.com tcp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
NL 108.156.61.222:443 d3e54v103j8qbb.cloudfront.net tcp
NL 108.156.61.222:443 d3e54v103j8qbb.cloudfront.net tcp
US 172.64.153.29:443 cdn.prod.website-files.com udp
US 8.8.8.8:53 assets.website-files.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
NL 18.239.50.35:443 assets.website-files.com tcp
NL 18.239.50.35:443 assets.website-files.com tcp
NL 18.239.50.35:443 assets.website-files.com tcp
NL 18.239.50.35:443 assets.website-files.com tcp
NL 18.239.50.35:443 assets.website-files.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 162.159.134.234:443 remote-auth-gateway.discord.gg tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp

Files

memory/2860-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2860-1-0x0000000000D00000-0x0000000000D18000-memory.dmp

memory/2860-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2720-7-0x000000001B840000-0x000000001BB22000-memory.dmp

memory/2720-8-0x0000000001E60000-0x0000000001E68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\24K51WZGW7A6YH3EDWS8.temp

MD5 31a65f2ccd2e5319443dad43b9e70143
SHA1 1d82ad5f6260481b39e5c8e70058551bcf013119
SHA256 c66566c2017d2a4069041c319ee2c90c00a2aa2b6d668eefdbcb984719d3b8da
SHA512 636eb9ef8e722c08fbf403311ee5c11cfd9f6508168cffab91c9cb1a9d8371b0ffa381407794610d2122cfcddff1d1516e863316fe23d604ef8780b037542932

memory/2784-14-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2784-15-0x0000000001E70000-0x0000000001E78000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2860-31-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2860-32-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2860-33-0x00000000022A0000-0x00000000022AC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\dc07b699-a203-4b28-9993-7984ddf48402.tmp

MD5 811b684644b74ce14405237527da0ea9
SHA1 207e59feeb1edf6c8b5fb97174597e0e2a6f7097
SHA256 d7a29c29db342637ce51bd8d356c1df2b21e059af7d8030286df6bc74bebe28f
SHA512 edb1229bc1c133b8482080ad0b63643d4688a2a7695fb0782b5db443387b757306a13269a1213b90c3de6b47de3569fa1f4a734b72bce8483fa431b181075ada

memory/2860-190-0x0000000002370000-0x000000000237C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\favicon[1].htm

MD5 e0dc97debdfae982ba9dabbecfac652a
SHA1 f5dc07e878fb3b4ca3ed0a12e2b6bfd0736a04e4
SHA256 93c9b4deedd8116f7e455d5d87ac74c50cadfde9e198af6607f4ad2250cd3ee2
SHA512 2c792cb18141e0129290ee82e81956398c405b575ca6d8b4d00253435e13351faf79f0dbf4237d3eeb9dba5e9d477f07d1528c479a16d73a48a46539287bbd61

C:\Users\Admin\AppData\Local\Temp\Cab6B44.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6C73.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 72c8c104a995be18d4523fc3a415c4c7
SHA1 2941caf4bcee7a327b91a6ed0279dd6dc2c92289
SHA256 a95637c551113d259419ed408b7a2f6166c7d2965c915494fbaafd5ffcb31e73
SHA512 9fe1c427a5e164d370929d2ef332ceabc2802395fa537525655dd2c97f02c38b1d087736f59675fb155d517bbab34c1e98f93a126ab29f1efe581c9123475baa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b0c265bb357b7d3dcda54305d4c90566
SHA1 d2740afbfd55c4d0352b3a312f59bd3eba40fa56
SHA256 eac5ff5acb49d31963d08720cc9ca895ba626a70d6afa791dbc9884aa07d3ab2
SHA512 eef08c898c06812f5614861573aea403d0281d4a18900af47739380582a03810c08b5be89b175289b3b83fecb6b383621310cae2f1d0d158b485306e43950f46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

MD5 c23c84bcfa1b2cf9c19f568229edd310
SHA1 c39ff5092f39daff9a7f5fa08dc3d90e06c0a70f
SHA256 1e48522e42a882d8e49bab171842dfbca1124ffa5676c1428e2d0899b1b04bd2
SHA512 5b38225b41e9bdc476155d6a03f76873dcb611968afab466337d9e04551d2e618ee338480a6032df5f7defd538a609dd3eaea303244997038716c8fb837fc6cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

MD5 22b937965712bdbc90f3c4e5cd2a8950
SHA1 25a5df32156e12134996410c5f7d9e59b1d6c155
SHA256 cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

MD5 8e1a73a1cd869ddbd9bc13cc0bd2f059
SHA1 68ded220eac50e56e9178d7fd962fc3343c177cf
SHA256 bae99df9afc4ad8a8e3cbb6976a608b363f3da548584d57d4e01d3de9ba3a898
SHA512 90603012999c41d6a1805c3723870e70e9283b3bdc8dd2737d0219f9cadfe01a03709567caac1337e92617846e599d119d7c3ab35ae351345b942b3bbbc85912

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

MD5 03d881fc5a4ab4013bd1b30988abb179
SHA1 9ad861569715575d7b676e5683b14dd3cffec304
SHA256 5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8
SHA512 29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

MD5 7968abfb9107687bb9bca1b6c657a4d4
SHA1 27bf644b8832ee6c27e6584bc3f0a8937c9f3f91
SHA256 641dff05ef4536a88d143ac7b447fbccc37b39eb92dd1d63670cba4093710288
SHA512 f6472e91e66911c841f3994ca6cad9ac32243976438c974e498e166df5cdbbb96fc2c4ea27589943b91e64f75a3401a71be58d44da70e91519af2f93a9345d6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

MD5 6af8f4fcc12a4771216bb8cbf4333b1d
SHA1 c0a08aaf1598cd3a9aa2fc57790e98894ad07e34
SHA256 c17e84b27270e560cd8fa9b2e446dd50e4714cf1e25bb86f9396db867d9cbe22
SHA512 9159f49f4ac96a3891365aa11f6cf6f98933e520550489f5e4681a6ed6583f5e1e3452bfd04a7d31bcafea7232f1b542b632ab63b181ae822a9b1f0307a8743c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

MD5 bf5d2f12989c73855d34e9a23495f99c
SHA1 a60a6d01e549282c42f6b37b876b3eae373703dd
SHA256 ee67aea9e57a78d79308e5962b28ed026862916577883b97de65dfe26df7cebc
SHA512 a79aa5fd0b516be55d12b0a94e61a9d121cb2fbf43e8c761a108bdd6c52cc1e69674ee4720451020cc8081e7554bfbce43ce66971d07bb78c8993ec6bc5c19db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 73b08e6c2c5047d952e71d961242d960
SHA1 a31d947f78a04172d4281a253b161e66088fa40d
SHA256 b132ea8cecaa624de43d6f4c41cf1c5ad7d58edfa113b9e2613fff4a360749a7
SHA512 df473e156a75f319a780cfed60f137cb2f78acc78d36d6b3de13bfbc5d6fb067829a5f6aa9db81f500eb4b6766c13d137660a14141ae6d094454c42e036da9ad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

MD5 fe62c64b5b3d092170445d5f5230524e
SHA1 0e27b930da78fce26933c18129430816827b66d3
SHA256 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

MD5 ce7f9dfb50d23c236d49fb8a96b9cf4d
SHA1 b804cb628635652ee3769c2ab391220f24d2df8a
SHA256 12491a0366e6e6483e5b48b3cdd62861d5a7291d3a4b9321685fdb0691afdd0e
SHA512 a8893c26c6ba06899824d1ce5d2b1800cdda579dee7ac6dcce8e0f4fa64e5a90fe8a6ce738eed6fb0d8929e71c5377a7fdbdda179127909de5fd925bd360238e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 fdd461ecfbf7039aef97d8d8e2fc69b7
SHA1 997bf717d1d5079b796cbb2401d308e46d0afc27
SHA256 2116e9617846db0650178c5cb98dec4f02c32fd4a575e63c7ec64096fafbb914
SHA512 ab305c58450514dd189372c553cabaf1aee90db96376aa73df050c1414be42584abaef4ddc8649485069ee4b060c23fda19f9945a176c711939109c8593437eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 4057e9431dacae0399c85db85a42848d
SHA1 d5a251131500130535f8ff9e080f420b2e5223d6
SHA256 7d6c92d10015bcaada5415adcc11d9281ec4b9a14b6b141e8c439583b2ea7fe0
SHA512 edf9457dd7f6a21ee5e10277032d7610c193c83613cc1d9b55b7f6b4f21a197d8ae8baf1c80b709dc48dd97d215d2200a88fc87e0fdc4a7bca78c7fbc1170f84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 0e4e1529ba5c03dae5224f2eda992fa6
SHA1 230824821925d4abb3e7f39ed44b98f3dd6f9d53
SHA256 97f4fc51f7f2133601af0a8a8fa238ba1a9f493a6492f1de98e2afd47704acc2
SHA512 f76474cd3ebbdc0959f81b2383af90c5bc8ef7b4e3036a7ea61b0428fba38d106d5bacf770a9275eaf226d5f143d6ff7735b27d34a6f3a7aa69524e6d1155e6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 07f8bcdf05c4c0f4195df2b48212b1d3
SHA1 428926add7d4777f7a093be333db18163c5759da
SHA256 49f804c4aad92b4581fba94d28561079b6d9252fb937f13e1d4284408b2e2255
SHA512 97cbbeb2baa18a5d29889419c89831ebf3000b4fb8887bead87ad367ea0cf506398200e0857e2a6a2fbb709d03c2a8bee37e3bca3c722f67079d6228bfc43690

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

MD5 1be22f40a06c4e7348f4e7eaf40634a9
SHA1 8205ec74cd32ef63b1cc274181a74b95eedf86df
SHA256 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691
SHA512 b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 257e766cd9c1fe481ea5b735362593cd
SHA1 12c45a4fde89b011d0d002eb63d0b5aa6bac3914
SHA256 2d4cb6362ba813734172cee4220aae97d314587fbc502f201691ac92996e2e6d
SHA512 16262b02831d13bf8b1fcb1b8af5a7d31a3aa72d9db878836fb4046679c57080b1ac17ef8214f0f67e6ab2570f39cde012e573e583bb6b55673f2d9cd6f19c31

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

MD5 08bbf102664e2ef95c429464d8b249f2
SHA1 4d426f636ceec3a6fcc2cc39f5519558030ca51d
SHA256 082e6adc163f0dccc4dc303d85963e2444df9e5efdeadbeb9a08756244518558
SHA512 f3d9a6cfd6b6c44315198c874b1e9377de9080f7a54210c3d41d339ce680cc5e7e54dd05c45a7acbef794cfe0d3d98c74300cceb8656bcef0a5f0f5e6a200075

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

MD5 e9c694b34731bf91073cf432768a9c44
SHA1 861f5a99ad9ef017106ca6826efe42413cda1a0e
SHA256 01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85
SHA512 2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

MD5 b6d5d86412551e2d21c97af6f00d20c3
SHA1 543302ae0c758954e222399987bb5e364be89029
SHA256 e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191
SHA512 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 61e354c30727d780c36b272bd45ac189
SHA1 647237d955e6c20cb0484ebd6af02b6171bf9de5
SHA256 74b990db5d6b6f86191042ee3fdee34b4a25204815dc92ce1a13f14177a9eef7
SHA512 802b5fe9923a46d50408fc3751520cb135b6a73e3404e1e9d8bb4e259d9427d726fc0240aef0b922746d203cabb618b19f80f461f187fca0360875c8614a0a35

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

MD5 78c55e45e9d1dc2e44283cf45c66728a
SHA1 88e234d9f7a513c4806845ce5c07e0016cf13352
SHA256 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512 f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

MD5 dcfbf5e55e49d6eb57ea10f3dd67384c
SHA1 ec6231ab901e5606a2bce62bc2261495a6dcee6e
SHA256 8d6fb4e3f3beccdf518dbc0e55146d56277f58abedc8d5092083ab9cd5d8e6f7
SHA512 e4b1d5c93fdc7c9032460669004ebe7c241fee831c98a9409e375bd482fa598705be464a5d2b777b8d2561499e9a0e7ee778bace3ad03506ebc6e26fd773693d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 7019e72dd2c8aa4683dbf87bde28da5c
SHA1 6967673d049430ccc8ee96bdf5e66fbc18f2ca23
SHA256 6e4497cb226591bd4ab91f4650709f7661b1588e004185798000ee8d978a37bc
SHA512 7a634e79f3151d950f066754ecf526b816c72a7e4be99981a792e0281685375ff3bc0570ad7c70dd22bb54cea449bc0e647966eac0a28952b5a4d275d97963a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 62fc2a34b795ef3b52818a717f8527e6
SHA1 ea3a8fced497b28401d4da48dd0d8c4726fd7c5f
SHA256 1b692d95fb922868166603ffcf3fba5ab95e3b4ac3b68ec650c9f34fae7344be
SHA512 ec93a841845a338842f875de7a8b8534aa7509e288b4b6267d5196acd0cf138b8211d3b51c3d78221b44763dd6a7d192024263083467f33aa8241d8dcc6c445d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 22a1560bec465c91d8d9ba49e506b866
SHA1 a3e29d99282b90b448d41b1081e734964d1e6cd7
SHA256 ba42f00d671c7149646bd89cfa24c44bb463e60961e1a0cd8ae93a288f795666
SHA512 7fd251f881e2ac6280d960d0984b7b9aa9d010a935ef2ebbcf09c7ee8a14f4ee34b8aa1367c10e997c251d5669ccd48d307ec412daa0d70b00fa9ad97fad6f87

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 15498e2f23d9af2023f67d47decc42e1
SHA1 19f61b60d4b136de5203761edc3924e9ed6edead
SHA256 c4a0bea69ef3485c415e15043be7732a441f0f22b21e0eaeab2460561735f0ad
SHA512 d6dd1fd134d25f7ac6ffc323d8af72235214012857ecdd585bfbef0836dbaea4538305acefeb79b09ea206957e70dbf986e45798ed8dae9655f79f352bd7d2c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 05840a80b21172f7c7c8b42278897b73
SHA1 268f65bc1d18b3bf7db8a94b4ee373f302d7f5fa
SHA256 5c5febc5e0ab69d320bee44713620bc994b3857ff3de117c37fea0f005f158b6
SHA512 d3bba7154bf580d140e66e411b68ca49ff54fb02fe94299d824101e2636b08cffaa25495089f7b07c30d269ebc38cb326b37e5f43d240748442e0379a367e507

C:\Users\Admin\AppData\Local\Temp\~DF1E77AC313C362B3E.TMP

MD5 53ea982a1b27600df175cf4853eeb9f3
SHA1 91b296be3fa3fcf1206aa25dcd5e0d4c6ae2e405
SHA256 3e7a013d3849cb95a48c887a26b735aa9a509caef2a1d72a5bd41af48643fcc2
SHA512 bb7c8563d7f53b05e230537ef85504f1017f555e8a9e4fd6ba6f25e08287ad30970f7f39ac2e33baa985be51a7a3f7496a8cc474211a2269c96e6ebdaa618455

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfb4d7fd6471f7107495750fcdf7b775
SHA1 01250cba328f1f905ccd05caa31f4147b1935942
SHA256 49eac95ba1afc00bee42e5bf5c9eb22722c274e4cdc152ccd87c6740c43d6166
SHA512 6b8cfe62f1bd98cf4e794793ea6d2f0e6ad7629d7ab4b2b24227c75bdf27f2fcde61e3bf95f35e9efb61e3f2559d5937b5c849078ff3898a746e69bda0941029

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd7469db7335eecdbd9d9e649e4b3875
SHA1 626c62407f1edb4943bebf3e14c6d69bea70b223
SHA256 04a360f59f777950f94ea45407c6142d6477aeb0bf70769e6320ad755fcb5b4a
SHA512 cc6c20f00f42555661edd2003b26b6d1b2a6917ef4dd2e4ce520b072c21dace765479cce8d1e50f7f166643e8e53ce310707c969a3c0d40ae2ffa6dfddc9c1e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a7459565fa534e25751fbcbc7b2516f
SHA1 3ae65118f3c033e9b58859bccd3363396ddd48c7
SHA256 a7ab711005fc69d2bbc5052e2b79e01d39d68d0f63b8a85e09b587162ec90638
SHA512 7e5483280424736c594509d38fd59ed985090459d1002d5f32b967d486e7b5417cd08c376350ce2e7900bd544183a0b80d42589f23bd10b1e330d4739fef04f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e372e7bedea9f10fe519dc3c98b8fe39
SHA1 9103abf406fe9a0f1c4610a4af1ba78037ec36ab
SHA256 5b1329c6095287c3cbcba1512a57fee7d1737a1e7f5bdbef9949428baea1d36e
SHA512 d75ec02be9f480b68cd9677bfb62a690e2198f3c2b8101fc1fd29a780754bf4ac0bfcc4959553e7a7ca9beee20c2b9ce24552264b7aea2b56d3a6a2621733911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 c3649182865090f5870e186b08241e1f
SHA1 57561714cfb1b4747369bec0c96778e31693e35f
SHA256 2cba18676acfe2369056c96713526d66030bc27054051a4549094aa4fc2b4008
SHA512 728e23185720e2925830609d6b0ea7644e22ea94f195ea6f1484675caa6744797b2121ff65a27d17b5ea5c34dff6ddb92f434d1a92bde81b4650716438166051

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1117e20c28400702a2fd478f3fa2bc3
SHA1 2965dd4ce35364875d1bfb4b561ffc485cec6cce
SHA256 36b97b6491e3c69bfc3834d484c92b8313f97951215c3ec944592bf90698e817
SHA512 e1b6035ac4d8cc7c4fc85e752255c9d8f0fe2b16bc8698c9bbf477b0574a10131ee0dee042c33ea1aae7c9d5e6b32edf4cf840f8a24977a2b81f56773c31022f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31fa3c2280b8041041f85ebfc190d9da
SHA1 e3aa4fadab9d6b83fbc1f221e5d8f551ef91ca97
SHA256 408a90572633e45c061d3dc7207c48958b1cf0ec96341d35589333bd85ee905a
SHA512 12a2d90fe937dbcf061661ca09a4e905dbe6df11738ad5ed0ad8ba7529c4c49c42db565301ac900bd6c2ce69503bd96ff1b0f833b19688e69fdc5dc735b7caf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1566b50a856773250e4dc557de8df750
SHA1 19cc92fff9f851d32cd28d5c010adbd2b300a74e
SHA256 660ef0ba0ab3a787aaea91bb02762347c939be2ce507a1e81ee0704f656ef1bd
SHA512 6790e1b7693d6b7fd873ae0e5e966260195088c40cd1a3625bf43e00c34add571b65ab2774033a279a50bc4db29cab90c3dcf991156c474a634fb1af97a531c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9e63f1dcb1213622c1b1c16d9eb2de0e
SHA1 3ff6e18b9404740c7e2b2250d86a29497d7b02c1
SHA256 469a0ecc1245c7b46b5e0c7c60f8cd899b186d18a601f0e8c5f20cb6ca346cac
SHA512 bd64e3f2eeaf156449303b1b9cb559c0d46d63d38d5f813e7627f20ec7e68287b7cdd63dd0ebfc9d69970df44c873b29afb37989590528343639e1ac5d0aa7f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4e56a136791cb9c3bbfae17403186fc4
SHA1 a6194cf9e3c8b3f5ce8d52d6398d0dab3ad6dd01
SHA256 432ad8c1da54a07b644e301cb946dbf6a764419f9599f15086bba6b75908c4a8
SHA512 e074901b96fa340095ebda8dc0ecfef28fedaf9ff4c518cc9601d7d463282d76250ca183d8dc8fcaf5c6dac3a9b6b3b9cda64a0ff11f9a7326c2adc924254fb8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 434547b7a8fe4bc31be5c3b264a6ff28
SHA1 9cec3509a13b1f902989d97e8b36a37a76393ef3
SHA256 1cb3517b7bea00b04b66deaedb321b327e41654c61b33a2209b89fa5c8c0c82d
SHA512 46d5cf4ea163f0ac53237da793f701d1b276086300d1cf85edaa2256fada6066fe018e912dafbbbb995ff3ecdd59422529c5476445a1ff7f8d2da7013540294a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 cdd3d148c810ac67e62bef66d8f1be3f
SHA1 7753d3d4b409bc7c8fccc7c4b5fafea6c3044599
SHA256 98c2fdca6d0302bec380eb2cd70133e162381e74ac3c92d3c8e7b19c7cb3e175
SHA512 8a0bbfa198a266e3b8f1c2f9a8b7540d1de420fb968d2869073d38c9a07fcb5adf205319d18d89aa47bbc364bf5ecb45f096532dd7ec9bf6338e2c4e3c5a357f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e4d0d850-df7c-401b-bf99-3ac1db072349.tmp

MD5 2fb162a2a44c7ede56355d7257d94cf6
SHA1 ae06af2f6ff7c8f91d2b7090680a915fbbde16bd
SHA256 60a2ca8c7d2655a900a3bba9616fb992f89eafabdf351ac45e4f1ed80bd5b0a6
SHA512 d98332a9d10fcb007716376171bb9eeeec5e0c159c2212d2fbc4753f771a45faa6e5584f56ff492894bcd8dfb3df2f657149ffffd5766bf15a86f0fbf116669b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 13d967fb5c69b3836da7af0e4282a3e9
SHA1 a57082211279e21649fe7888ab52e9c53c8b1000
SHA256 66a487198e30579b066c9ac5bebcacdb2bb026bf7ac7e82878ab7496f32ea869
SHA512 987454db29d27f245a5394506e05fd157944f1bf3bc88a52b0d9afde52d807ee95c3a4f9601a43c8985433a0505942ec3ceecaef72e1c1b90545a386df6e7d67

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 13:11

Reported

2024-05-31 13:15

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\App.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\App.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\App.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\App.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\App.exe

"C:\Users\Admin\AppData\Local\Temp\App.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\App.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'App.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.68.56.232:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 232.56.68.3.in-addr.arpa udp
DE 3.68.56.232:10589 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3444-0-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/3444-1-0x0000000000B20000-0x0000000000B38000-memory.dmp

memory/3444-2-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/3056-3-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/3056-4-0x00000146D0640000-0x00000146D0662000-memory.dmp

memory/3056-5-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/3056-6-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmnxvuvp.hua.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3056-18-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c740b7699e2363ac4ecdf496520ca35
SHA1 aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256 be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA512 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

memory/3444-57-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/3444-58-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/3444-59-0x000000001DA60000-0x000000001DA6C000-memory.dmp