xworm | 99232a515ecf97e955c7670fc968197b580a4c9da436af31e3cea5f0455cef7d

Analysis

max time kernel
303s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizClient.exe
Size

75KB
MD5

6e9da280e2aebeb8224a0d717ec0cade
SHA1

9899b0a07ee7d77058a6ea10d0175da91a7c108c
SHA256

99232a515ecf97e955c7670fc968197b580a4c9da436af31e3cea5f0455cef7d
SHA512

0c079f8f00a87830bd57b0a0484c9667b1c058baeb120ac3fd2b47cd0f46efd5af77b2c99ec49eed820239105c73d93eab13f70ce37684d4a72d777a0c8eb25c
SSDEEP

1536:naEEjYy8YeKyLqKiyrJHkkhubz4zFYG+yHP66TsgOldgtF:aEVHk2ubzLSsgOldQF

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

programme-garden.gl.at.ply.gg:42957

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1880-1-0x0000000000990000-0x00000000009A8000-memory.dmp	family_xworm
C:\ProgramData\WizClient.exe	family_xworm
behavioral1/memory/1880-50-0x000000001C630000-0x000000001C63E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4852 powershell.exe
2244 powershell.exe
840 powershell.exe
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WizClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WizClient.exe

Drops startup file 2 IoCs

Processes:

WizClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe

Executes dropped EXE 7 IoCs

Processes:

WizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exeWizClient.exe

pid process

4764 WizClient.exe
4516 WizClient.exe
2296 WizClient.exe
1064 WizClient.exe
4940 WizClient.exe
3024 WizClient.exe
2336 WizClient.exe

pid	process
4764	WizClient.exe
4516	WizClient.exe
2296	WizClient.exe
1064	WizClient.exe
4940	WizClient.exe
3024	WizClient.exe
2336	WizClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WizClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe"	WizClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2452 schtasks.exe

flow	ioc
18	ip-api.com

pid	process
2452	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629031078028524"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
4852	powershell.exe
4852	powershell.exe
2244	powershell.exe
2244	powershell.exe
840	powershell.exe
840	powershell.exe
2460	chrome.exe
2460	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe
2460 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WizClient.exepowershell.exepowershell.exepowershell.exechrome.exeWizClient.exe

description	pid	process
Token: SeDebugPrivilege	1880	WizClient.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1880	WizClient.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeDebugPrivilege	4764	WizClient.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WizClient.exechrome.exe

description	pid	process	target process
PID 1880 wrote to memory of 4852	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 4852	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 2244	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 2244	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 840	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 840	1880	WizClient.exe	powershell.exe
PID 1880 wrote to memory of 2452	1880	WizClient.exe	schtasks.exe
PID 1880 wrote to memory of 2452	1880	WizClient.exe	schtasks.exe
PID 2460 wrote to memory of 5116	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 5116	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 2904	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4856	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 4856	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe
PID 2460 wrote to memory of 632	2460	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
2⤵
- Creates scheduled task(s)
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6c16ab58,0x7ffa6c16ab68,0x7ffa6c16ab78
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:2
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff65301ae48,0x7ff65301ae58,0x7ff65301ae68
3⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4836 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4848 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4544 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4260 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5076 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1128 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3976 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:1
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 --field-trial-handle=1948,i,17427525679705279056,13859810521719506605,131072 /prefetch:8
2⤵
PID:2400

C:\Users\Admin\Downloads\WizClient.exe
"C:\Users\Admin\Downloads\WizClient.exe"
2⤵
- Executes dropped EXE
PID:1064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2324

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4516

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2296

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3032

C:\Users\Admin\Downloads\WizClient.exe
"C:\Users\Admin\Downloads\WizClient.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
1⤵
- Executes dropped EXE
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizClient.exe
Filesize
75KB

MD5
6e9da280e2aebeb8224a0d717ec0cade

SHA1
9899b0a07ee7d77058a6ea10d0175da91a7c108c

SHA256
99232a515ecf97e955c7670fc968197b580a4c9da436af31e3cea5f0455cef7d

SHA512
0c079f8f00a87830bd57b0a0484c9667b1c058baeb120ac3fd2b47cd0f46efd5af77b2c99ec49eed820239105c73d93eab13f70ce37684d4a72d777a0c8eb25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
1b23b6dd8a2834a01e5db7181b5d7843

SHA1
8858ccdffb8785a755bf3716616a93994a788c0f

SHA256
cfa7e77cc4eeb3dbc9fb54198b95209a9a40a546d68a3962f4e97501b116b304

SHA512
4bc6b3945d37c370ef7369ca0a8d55f4adf0fe9ac32fc4a9431f76c89bc84ae4b6c0291d6ce0a4bd6328d12ff174ce45c77f7ceff47b8e9f3f8fa8a7b74963e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
b216141c1e0ac057a6bff1d61e5a7eff

SHA1
a5c52b1dfeb1817bf309308aa99554611430eec2

SHA256
9d2a71a4c5b416dad7053cf6b24a1e144be8310a1b10fe568e5a42a20be4d9c6

SHA512
7ab5110f3dc743eebfc78482c862f77e1520a5da4602888077001b7aaa673a9589f1f3c3f9a3e87ad38a44b6bf4ab93f672e1eb6f0e6f7ef7d321ab0adadc9f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d75145b0d33afacd18efe64890dd3f00

SHA1
4267d841ff6195859ab576204ac7d7bb3c5c6c87

SHA256
bda8ee034925162ebed26fafc00dfac2573c1ed500bfcabfa5187552b91fc5c1

SHA512
0fcabf8bf298f377b8f8d9df5a90b45dc88ef95c5de7e0d29fbaf8cc8bb2a5dd9ad5fe22764485e6403de88c9cdfe8c3f1d2ff992c25960f999c027a352aa10b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
5d5853d39f319cc592573420458c3bd8

SHA1
7e042758d0c5eb1288eca898c94963b73490fd34

SHA256
b558295071bfacb8346a447372ef5eea86f99c68901a9e1594b058fd10db606e

SHA512
d5ca906d941fc303e38e9caa91377414f7dfb849113e42d06dac5907dd9a4a90a601f16511b4d2d468edd002bdb3494d0f4c2fc0fa6cc2eec102b8ab474c938c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
1c40d502054b195f9f9721ab72d534fe

SHA1
93bf883d7136a2135310812ee7e860f47d439242

SHA256
def18f306131030eb54ba812eeb95683cec78c3a9156591e07810a2b2cb5d22f

SHA512
5220e011217dbb4f6b332346984b997eece701e42b15338371dc01442d0cf8af7fc280fd9e3a3d3b088b97f9c73c5e6b24e467280f5ce4524334b363dae9486e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
77820d4d6262a923300d61b4f651116f

SHA1
cf1cc84aa65bb05e839aaf59752ad766ea6c23a3

SHA256
d4fc9c60e59ad798f7c75338442a0010942ca18cbcf67af8dc88a867dc77e709

SHA512
e6000359af7a56542b0d1722f2ab1719fe49c8d68b2fc32fc7bb4a609aae5ed3083e73fa8676d98d16f6b142df21d650c1efd32f5ca784b27ea242ecea3722fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d9ec9711b02a36fbe712d0ba3f9f4c9e

SHA1
d697ec68731f5338596bca7727a88a69a280c33b

SHA256
34d75dfa3fef414ca91d3cc444fbc487d6507ed833fbb687b7ac8d3c5b21b5c8

SHA512
be2a45506285851171bfe84c637ee252c6e053e5ca25dd1b0b13b346867966af70d6f4cde67f383329e722ee37d9980f0cc9472f192e0fff18018b6ae2f38681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
15e715bbfbf7bdd3497ca1a3b1f2be2c

SHA1
08bfb55d8739473265273d465a2d6863834dddce

SHA256
38f74bce384b444c02f5540fddf887601393b4bffc8ef4449572f4f745f37b3e

SHA512
08d7848b9c0d114e1147af349f7cc6a1afd8e27213a0274bde9a9afef9822c56f0e7aa5dbc218be49ce44bc5ebf5534841ee54d3392f98a62c733890743a8431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
07b075037f776c1b0e43c0a3b80da6be

SHA1
cfdb8e6f0ad8d2467d2930bc4d6d7731bae8d796

SHA256
ed6581600b751eb39c781c8c1ed2f9dd3636271d7f20a2bd239d3d039bf5271e

SHA512
60837ad051209b4ab98f0e62c6ee7bb8bee6366688940aff29539e422da86f077a5e1b961acf7c3e96b1f598d22065da43274fc8b32c216819abbf4eadec4bf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3d47b83edf8a111581480eab23800133

SHA1
f9188f48db05d5a35801f97aead02e85e5bbe3d4

SHA256
3432581babe6a0743239ef0875153dd94daea411e2a4281cb27fc2d0f27e2660

SHA512
00dd44a84883ccf358680f265d10f84ab54e1e2ec9cba08e32d213a5e85dc65685bfdec64ab3c994fac3f008c7b3e407c36e3eaf35248c8b44f3f0e426215ab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
456d548a2ea6b25749f2b57bea745d1a

SHA1
ac8dd3113864a1aa40db2ca954d70717eaf7b2f3

SHA256
d15efffac34454b2777f4742a1322ecbacd823f93cac66f12080b645888dc76f

SHA512
62992a6031b9eafaf8b552415cd2663223d809bc7edd1c367fef9dd9813f702df1dd6f8bb6eb4c4ceecd9aabb52a13ac7df26fff5f3236e35f5ba58205748b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ea9574c7eab199e8bf6bcc9649543207

SHA1
b9cc0f9d85bbeac637f1b9590a0fe9a39d0c06e6

SHA256
6daed485ffd311b37f1bf5425d912788d6b50c3524ede0a88276b5d2ed8bfb8b

SHA512
0cf6ed4410953ef63bf6c1d37565d16a95c45641cd6f72e220e78e9377a127f171e5e968ae9b0d096097db839f85016f0d515f964935c160e501b0ce6aca522c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
10788cb06d45ba536b1ebc389099e44a

SHA1
86825a0a524dcb16aaaef4e8ff4ddbb0a997924f

SHA256
8f4768ac9c152254a89e7f0fdd0bec7d98bcd0a70cb0e2cf89393b6273d541f3

SHA512
8cb780987c1851c396af95e5256e18e8f473084ff27cf6fed170b7fb855c696f065046e041829aa86b28fd57154b7238faf35f89aa245e2c1ef16dd7730f39c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
dec1326b3631f2f9bf94ee7fa0457bd3

SHA1
b2c71d665160c44272a3bb9602c4c128b85696d7

SHA256
c12b9c8b7fc794a9297ab889d8f2d5ca255a7ceeff7c212756388165c1cd82b8

SHA512
fe5a4984d81834f790ffc368887ded24b58ffa0a9bc30f3dbbae133142b277d4f49beee99b27648329caeae3594cc5bcee48a8ff83901e6dced7863d234bd7c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
86eeafa5d16751a9a2e5368a3d5d09e4

SHA1
ad918b61d9cc83440ac37c1d7423cbfcd093478d

SHA256
2982fc1c380b83247ae15c17d2cd9dae19cc8bb6a6dce8bdeeed5797f11f0d0e

SHA512
a5b15998ecba51e46686ace7346b57fd00c91db8841addd764dc4e3f56c77c506a012bb16e0acad7ffef74a7fb89634be10d4b5dde621fd0e808ed07c644b85d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
e68d825b74f54a1d275a015143b34ce1

SHA1
97820f3ca55be8451123a79c7bccd2367d70bf5c

SHA256
184f101a1decb0c1986d4b7837b58af6206f65daa459ec9333379c4908ba4dea

SHA512
ef1b288e14b43fd0e8ca01d96370c632e2254a6da1e3964c41438473906d16ca1f3af6cc15408f0ec25fa83c516af0075eae60747b911431b992c4ef208d2865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
8ac21a42a2363f3969ba2f6c5d34c47c

SHA1
26b82396d2c69242b45167b01c52fd9d6929270f

SHA256
8329c0a63597b503c57d1146ffff364ef3cb64a3b69466aca077143aa83188b1

SHA512
75705f8d7f2be1584b441f44d66c5e6e06d2f1837d497ec24ff06a039c03cab59309466170a80ed837d54dff75ce7f655f4b676eeb34da182ea8b7051c2e9b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
c4e13c5f1cf137b6d4303cdbf0c21a3c

SHA1
1d0bd0c8717e9d6c9a67f865c009180d6e910dbc

SHA256
49f8c28c4a1f2e849a735658a7a13e5da991bad17c9fc4462930b7bc7bbd88f7

SHA512
3a16d38089291e0990e6f28d75b8bd2b9debe3320202876441dd6a0c83aa45fc26e9a1ba8f9ee4ad19d349dc878e0db1656de3cca41af4c1b67c02fe672eebbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58dc13.TMP
Filesize
89KB

MD5
90167883fa519213714ac273c733aa9c

SHA1
ebf7de6ca420a9d1033fff67682c6137e0b892fe

SHA256
b145e04cc2ba55dddf72e7d93419c205dc39f5ebacbeaefb4499ef11f9ef09a0

SHA512
1154668dc0d77dfa687f5d1a8d2ad4897ff012e3e1a8d5664d5577b5aa4e868c1c0d402b16f7df2ad8d697e51c911c9df6d5a116df9149d9f38c818fbbb6a830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkts4k4g.jvu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_2460_MFKFUGJQECEDFTYM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1880-2-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/1880-50-0x000000001C630000-0x000000001C63E000-memory.dmp

Filesize
56KB

Download
memory/1880-52-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/1880-0-0x00007FFA6FAD3000-0x00007FFA6FAD5000-memory.dmp

Filesize
8KB

Download
memory/1880-51-0x00007FFA6FAD3000-0x00007FFA6FAD5000-memory.dmp

Filesize
8KB

Download
memory/1880-1-0x0000000000990000-0x00000000009A8000-memory.dmp

Filesize
96KB

Download
memory/4852-18-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/4852-4-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/4852-3-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/4852-5-0x00007FFA6FAD0000-0x00007FFA70591000-memory.dmp

Filesize
10.8MB

Download
memory/4852-15-0x000001DD89000000-0x000001DD89022000-memory.dmp

Filesize
136KB

Download