Malware Analysis Report

2024-09-11 14:04

Sample ID 240614-2kdt1ayfre
Target Xworm v5.6.1.exe
SHA256 481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172

Threat Level: Known bad

The file Xworm v5.6.1.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:38

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:38

Reported

2024-06-14 22:40

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows start.lnk C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows start.lnk C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows start N/A
N/A N/A C:\ProgramData\Windows start N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows start = "C:\\ProgramData\\Windows start" C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628783189174246" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows start N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 3192 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 3192 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 4924 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe

"C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm v5.6.1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm v5.6.1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows start'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows start'

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb949ab58,0x7ffcb949ab68,0x7ffcb949ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows start" /tr "C:\ProgramData\Windows start"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4836 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3488 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\ProgramData\Windows start

"C:\ProgramData\Windows start"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5036 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4176 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\ProgramData\Windows start

"C:\ProgramData\Windows start"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3136 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4496 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5004 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3220 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5764 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5960 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3436 --field-trial-handle=2000,i,2060104860282988637,7607936171477565068,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 52.123.242.9:443 tcp
US 8.8.8.8:53 india-southampton.gl.at.ply.gg udp
US 147.185.221.20:20350 india-southampton.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 www.win-rar.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 tny.im udp
US 172.67.169.27:443 tny.im tcp
US 172.67.169.27:443 tny.im tcp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 8.8.8.8:53 apis.google.com udp
US 216.239.32.116:443 beacons4.gvt2.com udp
US 8.8.8.8:53 27.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 116.32.239.216.in-addr.arpa udp
GB 142.250.200.14:443 apis.google.com udp
GB 142.250.187.238:443 drive.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 accounts.google.com udp
GB 172.217.169.3:443 ssl.gstatic.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 content.googleapis.com udp
US 8.8.8.8:53 blobcomments-pa.clients6.google.com udp
GB 142.250.178.10:443 blobcomments-pa.clients6.google.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.178.10:443 content-autofill.googleapis.com udp
GB 142.250.200.42:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 172.217.16.225:443 lh3.googleusercontent.com udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 peoplestackwebexperiments-pa.clients6.google.com udp
GB 142.250.200.42:443 peoplestackwebexperiments-pa.clients6.google.com tcp
GB 142.250.200.42:443 peoplestackwebexperiments-pa.clients6.google.com tcp
GB 142.250.200.42:443 peoplestackwebexperiments-pa.clients6.google.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 142.250.179.225:443 drive.usercontent.google.com udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3732-0-0x0000000000110000-0x0000000000122000-memory.dmp

memory/3732-1-0x00007FFCB8363000-0x00007FFCB8365000-memory.dmp

memory/3732-2-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

memory/676-3-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

memory/676-9-0x000001BA60B40000-0x000001BA60B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uktzzxxv.cqr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/676-14-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

memory/676-15-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

memory/676-18-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb033be02578f9635ec47bdc1de5c3fb
SHA1 ec356bc87381354a06baa9c30e8c3ac3d30e0f6f
SHA256 bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063
SHA512 4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

\??\pipe\crashpad_2092_QYWQXYVPLYSENREX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 be6aae5522e0fa32de89b7dbdae4173d
SHA1 da7ce9eb293e4638e14b2ff66c3952d62fb6f081
SHA256 848520a2ad4ced38fe4ec8e549de2c9dc2545280c895ec969b3a3ab1578a0b75
SHA512 51c85574a01c87e2b354226a499fa7270b67bc920cc12c69e29564320bcddd880c8bd3401420df4fe5c962669b8f583767033163cf129ed671b87e48d827f0a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 41cc45babd32d7abae6a61a204cb7b3f
SHA1 1f0ce33b7497afa11c4c7c35a1eb8c29c98faf70
SHA256 34fa7dfff2ac16801218e11ca670e423e5ab03f7dc4b12f32600914bb605b75c
SHA512 f6946c3f59a851a77fb015a56433daa9d90348a6f15e301735a742ae11fb7b7d00193f1b306929d21ea910e16515c40c72fd8f7440f35a4f901395750839c414

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9c53e203779b3f381c0af02c55ce8077
SHA1 3b84ede0eeb571bead80d6d544e9c4483b6ab811
SHA256 3c0f58c53b8dc0d55f66be3f0d07cb4ee85f4d02e7d8440806181e9f1f95f721
SHA512 ae592136fa096c5e05ef7066783597f63f889477dea949ac6cc0355bec1d6d26f4a325bece678e491bcc9f8c8ef54a8190ec45759e5770be1c15a7efa6a224dc

memory/3732-150-0x00007FFCB8363000-0x00007FFCB8365000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 40a5af7ad96480bdf403a858572e420a
SHA1 3cf9399ed3f096cbddcab38e5ad85f63bb2fcb3d
SHA256 9f3e68345e48514583700dc886e93adda5b6dc5bc5f90081dd7c218d359b245c
SHA512 97c253ebb050af144ef42c724c51bd69a4ec44da4762670b7fde97beacd310db8468333d60b4395e9ee3247fadf9956fedbc874ce20bdfa57486aed4db0057dc

memory/3732-159-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f82a8bc19883c7ffd127c1fd32fb8af5
SHA1 b408e94279cbe49252452770ac4008ecb1a842cb
SHA256 8d1935156fc5f4a1e485c9e5a7d90423e0b96b1c9c79f554827539df4c1138e2
SHA512 b1796dc223841d725095774df9ff37de6ad230a7d7a9387ac7260ad303221aa9b8a3ed034aae477dcf3910ec303ed5b0f401a9d76b79f9f9ded2808c1dd9400b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4039271010505f6768bb5b0340300af4
SHA1 cb1741cf21b7d7268bc4b90a62b59c46bb0bba83
SHA256 a459d9d658f4d4199110e6d9f7e34367c2c1e2f32529ecdd64ec1912652c535f
SHA512 c365a9bba524d4382d554021dd297bc35f8290a0828f4d2f1469e45f6264d9d0657bae044b232bb73baf4e8720932a992c61b081882c3c909cdd97ae89950da2

C:\ProgramData\Windows start

MD5 b419e672ce09e76bf687726eb487ac47
SHA1 082df415a432d8d0547bc6e73bbce82233a89990
SHA256 481bbd6737c0ce01a24654154b563a07caa49aa41d1743cc3ed0ef6d2bb7f172
SHA512 b77679b6a11b83cdf222af9b5d54832152eb11b4b16ca1c1a672a53accd5ae111c1ba8eb15e777d8fcc5719c6b7e67b2a816536c03b4a96e711ffe9715b853b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 415c6f667e43c9bef6077b1fd2db7539
SHA1 f21135b7a91d903c3fda61d269c5b8697d19e9e9
SHA256 4f807b6122fddd076484be12455fef68bd421d8d45d9f459bab8996328a3d533
SHA512 4d3d69ec5aa0925e878ae3cd8c8283fabb98398f7df69e906e9644216492ec65e1f3a693d172648b3221e6e3d5e457d3faf86a3112456a85010da8312344cbe5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2af567418beb827253589b2724a39a5e
SHA1 d77e9df9be887dcfce89a2b52fdae531afee7e65
SHA256 3062e7ddf4f2c5a497b89022cc81996cd6d10cf9acd0e4259cd1297592e79c92
SHA512 add86513aad206c7515db282819c6a8ff786cc3b7a93bca9942eb6955d29cac4e42f10fd0fc1f5d4bf9ef2554167cfc857c0d8a5b9c09287e258a25e7617cb53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 85b85d610bd13b8cc1c36eea55f06104
SHA1 a6f23b3330522438168d5244474cf4d953fcc008
SHA256 c3d5b1ca310994608d05afec172991a6a74c6a97616d31e669bc13125ca9a7fc
SHA512 7a494bda5d2ed0e22dd60ccfbd63e4c94e21ede7ebd231ef4d5df61064ed576cde13bea4c4e62ed76402004de7bb2c34f8bfba258a0f2949145bea52b4daf2dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 69c32cd3de72ce40e2136e7155116f0c
SHA1 cf1f70bfd3a64eea7a0ae08069136512d92026a1
SHA256 44d80458581dbbaaf280becdc88692ebc712603d84944c31e89fc4f06e4d06e8
SHA512 413cd1339964684dd496bc33b725716dbaf0346ed7466bbc3c4a2e353b41aa9ad9c4c07c9a01529dbdfedc021483a95c58f3bb6187d4522f03cf8c0cfe86d3af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0921d37b187e2b08a08445546a6e4d85
SHA1 6ffb1a5308d18d4ac45dabe41b03de4fea4d4396
SHA256 01a9f879514da6e5457f5dbd34e6ec0ae4becd165ae5fb04dcab397f15e8bd2c
SHA512 dcce64487ccd1fc6568fa3c766f33e85ab6d4b2b0a23825505f791644fac30545f3dbc4a04803c14b316cc9618c9642041a70c77912ad51c01d64230b8237ff5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows start.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4607a2f525a7e0e0062a970e80ea12d2
SHA1 ad31ef5d07fb31652f8877ce656cdbd5bee4ddea
SHA256 6ed0c96e43b9557495225de7406fc577ac6c7d1f67922e523fbb59fc939e4147
SHA512 e3f1d130c90149624904977215c4341adfb076b5a784852aa977d40538d138ada325571256fd2e706ac87b0910ec290732276f66bae4a7f25d36c4585cf02c32

C:\Users\Admin\Downloads\winrar-x64-701.exe

MD5 46c17c999744470b689331f41eab7df1
SHA1 b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256 c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512 4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 bfd768de668097fdb623794800c965e9
SHA1 4105ee6da2df19fb3e4ee02d30f730ee9da38ddc
SHA256 f7df19ae5121a67ca36461b56a3d19dac777881da989de3c3c7595ddfcdf36ee
SHA512 b721d2384f3087574b6a25180b3a4789e387a2e58818512808926b77d1703416562a380456c1543a400513891097be655782a9c373c39a7949c70bb9c4039849

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 0ea78ca7b093dc1d13df87ef4de2efbe
SHA1 0c3bcacf78290ad10415ddc24e5aad440d22e917
SHA256 e81e003b7deb2e41444f06e09afd83bd1a7271c5ed541dd19b282fb34017ed39
SHA512 5f748d4a6c9cc73fadd08e717b0d3d783a670b35d0b6bc05c07bc51e57c3171074014cf50e5e97227946614f6319a6c642a2d8f9e7306f984a983fcfa312d5f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a5768.TMP

MD5 c86a510bf28a73512a60917b1aa23416
SHA1 d139777b84b30727cf5812365f383657057da3f8
SHA256 c5f570412ef288d2c0a39fdcba19511d568302569f68e9faf4e875be3c1ac4fc
SHA512 685bc1ab87d3f228be21eb5b294d6ba9f28d84953f572aa23d49b136c6475bb27a456ab32b9d3b79145f58cdfe0fc2814a0b503135eb5363a41b061643a2ae02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 99b612861a333fc993d75f6cfbc73b94
SHA1 4627a82855464dcd506159dfcce76657b58ab85c
SHA256 6ab313ac1ac217ff731beb77f48f7b47a965eb88a0d10b4a7ebb7fc32e9f917b
SHA512 67e6b0d973aff0893f9b37c07f5ccb81ef0d7e8b7c958af5768d60b2e16b663c99b51e9ac199e568a15b33ef72bc2788a07536ac83f859e9f1b7b561a090292b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9224e686243ef4fa8a9bf19a8d273ef4
SHA1 694451cb342e54a4a3c2c72c46c38edf2072f32b
SHA256 5dd20bccf3c7664a368ea72c66eb0ced92c6f005371d66b93a7e8a4bb3caf421
SHA512 c65864021f3a3d57082d5ed30ddcf66ae7442f4ea00d55dc2bc643fbcc31f96423c87ecb5504771d41cce6c8333351a505b55ddfd2ae94d5936173bbb6ca0b44

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6b14abed0820017b18c82cee76b19ca6
SHA1 9d83db56bea1d2c4122d9162534010a897f126e9
SHA256 5d4741893288b39b8380a32e75ab304f898d67e44b882723fdc4b99e0413660b
SHA512 c319e8a5b81a049db442b5116c924ea2c770c8c3509b913364cdba5e941e0c5f9a23d7826fd4deb11ff9ec91c570636a39e440650ecac5d95034bbebc6744ee6