xworm | c471bf614dcc7041104247415092c5d5e39d6880d94e2269bc0b0cb37bdafae4

Analysis

max time kernel
147s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

35KB
MD5

29c0b07dd4292bfd7b4fef87afc37eba
SHA1

fdac36a0930b1d0294ee84062c821e4f363fd142
SHA256

c471bf614dcc7041104247415092c5d5e39d6880d94e2269bc0b0cb37bdafae4
SHA512

70d72db2359cc3bc6ecdd29889648c29bd95027d5a2a4bc55612ab61aa50badd8a123b0198b4426125b6f9c19e860a04808e9f307209afee43fb68ce3c0d20bd
SSDEEP

768:NoHv9ouQGVEhiQfCYzseVFy+9FpOjhnOEE:NoHloqEhVa6sUFf9FpOj4

Score

10^/10

xworm ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

modern-educators.gl.at.ply.gg:23695

Mutex

secFxYhGeDMYM19Q

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3112-1-0x00000000005D0000-0x00000000005E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629271907842648"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
3988	msedge.exe
3988	msedge.exe
2284	msedge.exe
2284	msedge.exe
3100	msedge.exe
3100	msedge.exe
2420	identity_helper.exe
2420	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

[email protected]chrome.exe

description	pid	process
Token: SeDebugPrivilege	3112	[email protected]
Token: SeDebugPrivilege	3112	[email protected]
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exemsedge.exe

pid	process
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process	target process
PID 2124 wrote to memory of 4716	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4716	2124	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3080	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3080	1500	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 4176	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 240	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 240	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe
PID 2124 wrote to memory of 2508	2124	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda3fb3cb8,0x7ffda3fb3cc8,0x7ffda3fb3cd8
3⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
3⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
3⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
3⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
3⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
3⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
3⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
3⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12265815507687111241,61021459219832721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
3⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8f8bab58,0x7ffd8f8bab68,0x7ffd8f8bab78
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:2
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4792 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1572 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2460 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5152 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:1
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=1696,i,16049872760011324201,18422141014363360530,131072 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8f8bab58,0x7ffd8f8bab68,0x7ffd8f8bab78
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1960,i,16437661422590089717,1958554696935946532,131072 /prefetch:2
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1960,i,16437661422590089717,1958554696935946532,131072 /prefetch:8
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
767147a173231a9acb252df47c72fd36

SHA1
ede4b0ac5e9f0d30966504e769e26014d5ef5afe

SHA256
560ea47c2a453d4c8d678522d3da389933d5481b5c0db4f23da212a5d2133b3a

SHA512
a3fcbc35c20cb71f3e8fda9345137f207794666c6ca3862670d33db7c8e7b05e0c1c11d0cd591e2e31c4af1309b2fef872b788507e564db3801e8320d1fda7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
05bf707cd231d13dd787bdc9aaab6647

SHA1
c31196ceb895be7649295eda7a882001085adb5d

SHA256
44ca8baaa103c9695c1072d5777338c2a7e980dbff8eb2c1267a56807eb0ec31

SHA512
59dd6bde69b83f14eba7e79ab757352480f6d80d0c92585cd837169bf59ba6e34a465a1a9bad3c77ea4ee3f875dc2fe46e44eb07b26e13caf3971ad5a7c54c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
232d8c23ffa90d8a878d4e581d87728c

SHA1
bb45b7b96ce04f647e4fc6a4982ca7293ebb92b0

SHA256
2aaa301ddc019999ec80fcc3da2dbdb2c1c1884b9063279aeb4c362d5ae52015

SHA512
49f0411d6d85f21b5d00c55f3ee75ec56fc45fd9aac618bedd655419b56854bb46eafdd58eaf87427e3276b99133db1bbe57754a181e5d51f315096891be76a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
a14a458be5e6764f7f882f34b0922303

SHA1
784ac661d892ce57a6aacbcd60233fb960bdc353

SHA256
0eeb06979e3023ce25fbe6878defea869bde864ab64dd6f4e70010ba70122182

SHA512
fae13265d0b0a1caada6150966eb81b348cb349b19f84b8dce9301fc76b0ae7eeafd9b615384e9362ddfabe1bc77e59ca1237267771609f47bcd38c5542be858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
6da5100d1aa4ab01979fd54a0c88649c

SHA1
905c45a4858f6bdf0adce324966fcf95bb6097a3

SHA256
eb9d52494ec407228afaffc8629edbe54354dc422399c3fcf2226e4649b2be12

SHA512
b145d4a18920961a672a529c3b70e22f8cf5f4c8884370de72623203d5b95c02a22b676515499b5f80e2cb726012480c84d3c78f4af565e0b36b37eb526a70c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
8d8a0df0d5ef6dca3c4357f8d92bf9a0

SHA1
10d699e54d62ac966c7701ac311de3c56a50873d

SHA256
dc7bda1c13b9d83220e91faf05ed0cad5529abf5895733c44fc6c5a2b1ea1dee

SHA512
a60e080725722383011f58c8ba19d4b071c051fc81a0561bfec1e264f66f74f1ec193f3d86386b2901636468c1139601f56487f7563117b3b889d1d76232dc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1024B

MD5
c16e5c36350870856bdccf35bc940144

SHA1
e9d5480f154dee21a03eca6ef80498df7373b172

SHA256
647e970fefab31dac80512a4fc4bfcff0a5f962c67370c793a14ae79f7fa8d71

SHA512
07d34c9cd01227d59911d2e6009c774ac9c5d275e56a84ef7a49e59218a8b164315bb5dc1eac4debd39e90397437137afe608dd4c6e60bfa35519965f1e94176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
fea9b167f4074dc5ce27cf90e1284554

SHA1
3f72b164875413224bdaed34e6f6b006ce255e96

SHA256
23210fa3fedafb7d057b51750c9e0560147c94d6b92c633f449d94b56140f8cb

SHA512
ee522fad87b5dc1025b72c720981ac715aceded5bf6622bb50a9b4ed75566bb14a9d3b12a2a8da1f2577720a44cc067621bc1f3af38e47da0aed76bf8c44e812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
24a51e637b79f7eea92b37228b5917ca

SHA1
562932c66768f1a46d7943e43119af29f2c04450

SHA256
f952c896f370f28bcd0358129996f9560115e11f88bcc0c1fe42d4bf13c1beb8

SHA512
5a8b4c97ff19a4eb579b913f93db5645c9b7e3ded0e329a9d160745aaf5c730b310ee4de616fbf7fd5212a76a82022f4274bf302f33db545a7c6c6b22876c87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
ba3f606d11447aba829a702a616f2739

SHA1
79c9b8a10fc623d35a8d5739c69fae6fb05bad11

SHA256
a9aafd673995f280c18eae18c007ed0e5ab6fd2dd113da6b711c6cf2a0aa031f

SHA512
928aa1d1784c7929a3dfa9718571bcb4daecf5dc15bf0711bb4a4ebdfbe556985f5c2a621f1e7f685a95db1d7f6c82404823adc137c7217823c7b0cbd6a98029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
94bbf7a71e7b0cc714445e0e430e4c58

SHA1
a6507517da2595a5986931fa897028be0a7995a1

SHA256
56e8e226381dd447f2af329516cb6326a2b2e18bdbc2329e3fca89fec68bcc8f

SHA512
245225292c127f7a886549a91d7cc96f025d12c7c71dc1c3f82b31861c5f60af8e38123672879e3eb7e877c3add36f5b06df97e10a7a34d01f8a062d569f66ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
66c27a8aaca1bec4d103018c26b3b8b1

SHA1
c3d5145ff3d99d3672dd4c945151cb57c3ea88d8

SHA256
3c8d9eb3b9319dadc14b55ab08af148fbb25fee3ba4b815fd38022a1ae50dceb

SHA512
d50d29382621219fa53dab926c54335300f9db9bef805f7b049da976978e6cacde62fed34725d1112f227d0edeb0665cae370ba085e95dd0def62a168a8805b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
01da72c8b0051f597d74969a3bde7e8e

SHA1
a94c536e65a26ca5b870bca3987ea613879b0dbe

SHA256
d92b22884d8b6de6c5ca04e68a03e6f7cdf2643a7b2ba79b7fcf7247594c4000

SHA512
ce874d6c7d87f8f7a69e189c38453cce1c303e956c720b84b17904f6ebe6d6632f125c1faad3a7b527bf1657d18e0e40d42e39935e95e91c57a95da404f0c9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
c4e7ff22930aa5244276ceed5c8229ea

SHA1
ca59b762821418eec2da0faa1edd0fa1600d3de4

SHA256
8de42f555509ef6a8d81dd888bcded8db829d6c6dd651cd8991a592f45e21036

SHA512
2c74eeab814d6aadf93deb3f9f45c414af227f9a8ed6113ecbae0ee3c904ddf20d57d9e3fa9fd2c98fbac7320cf29601c67d5bd4bcaa026417938c19ac306625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
31139343d35de575a039721a75f6709f

SHA1
fe826cc261f1cd01499d9550250d59c4421a16d6

SHA256
866c2f4835e4423c7d3ec7fd8b6bf684b993d93e0cc7db3aa600f8250eeeaf84

SHA512
6e39d899c39ca599ec11a256191b508e31ee839bb7aac01dde72e050aabb637e35a106e6eaa68bb56abcf9ddb12dcf1f33ab8fdc54c3d951622603f02b5f15c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
e28185c883dcdbfcb1a8a3fcd608f809

SHA1
1e3a2da1e431b43d1373aa5563b7118af177aaf5

SHA256
111d384899c64963094e69c24a1ceba2d53e09b7e00abfe543141b4ad8ba5780

SHA512
4ceb0e3927f50aeb409f2636dc228bbf97dc1c245c6103376bb25547704f13559776a94918b403c5b021c3da414f62c66b47f78f0d1e932219f11c6692bc973d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
4424342618eb22fb2b887b0535c5b19d

SHA1
c665f403f2c307b84cd81c2ad68ae063a165451d

SHA256
b6998173689ecb0472f3b6c82966346d6db908ae3d91186ae429203ff1356c1c

SHA512
7800c5c36727ec2d784be8befc2cc0b4afe4ba9d2ad145c7b198fc603ada1a9c8e32992d4545d94042275a19c0e81b48e20412726a4adb4732db6ed473120073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
289KB

MD5
f30be94972266a65333484d6dbb04f35

SHA1
1c1af72bd88694ac6c9e45a6a8bfd5ae7e32268b

SHA256
454dd8fd4718ac573f62f44b09c678958ed648767fc60a9fa01eeeca97a9d98f

SHA512
4a90a5e867433df1b4b332e5383486599721ad626485a87eb5b0f389263f3362b50aec8618d4fca11a5330ec4b3efae135e38f21dcfd8551ee788f1497ba850d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
5a5ad385b71f895adaa7e6aca25bccf1

SHA1
fc26a23a32035466c5075c7d45cfbe6fc0b7bb88

SHA256
00ba45a0d732d851d18fb8dbd6baeed848ae17ed727bb24ee7e8a82a40e9ac56

SHA512
400974af406c883bf46bf83f971d5d28a0c71324da97a064ecf170ad94382179c9ab330f4bf12cc819f245e12bd9bdc4eb7f5cb2d108cdbeaa7fa114a2a7db05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
f4fd55224dc3fa66666cfd2da1b8a8d3

SHA1
aabdc37d439b634b34fd38c4d8322b8198cf85d5

SHA256
63c005cc3429b6ef9afe73abdb0c4284c071dc79823c5f6b3cb89c0527a8a38a

SHA512
e3bab5d4f78e4a7e4dd25c665183a05af1cfd5913221898f584233d492abd1741e77fe41582e9fb0972dff8bc686a0342ec65150e98ea73a7ad8186972d81f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
c28ad47928d68524b6a96c6d64449cc9

SHA1
f4293ae846a78bf7fcb9d9c01148fc75ad157b9c

SHA256
d493fde5d01b4ed9d92f1e14856426a869993537ff0612529b39a0171eb3e53d

SHA512
86197eab2b9e7c9d2695bb0502bc947bd7b3e8d6150b8730dc40016704608f7c6623f31eb49c630115a06469088ea14cee50036c59f20646c9f62d99d32cdacd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
6dbe6cd72de466042125e776df7bca98

SHA1
12cdf0457ae5b1ef669fcd51b43024889c420e03

SHA256
fd60fa6899ab1d9d970c3c0bd20abc2db03d306902d31f06ca770fae00dd3a48

SHA512
a3f96f6e21f85494fe2d4a653757f96c74dfdfdf3ca94146beb1df3951a4c04d19c26bce0fabdaf596a4912ea663405d4c5ec63be561824616b80897dbfbf58e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
277KB

MD5
b3dbdb5ed3ce9e8b187f7ff052ed7c0c

SHA1
5a43a26b7158532bb7738e4130c5982dc40791a9

SHA256
6a38670adb0d14c915a035f84d97ce1a2670a9d2b93974b73dfdf24b90a7b003

SHA512
8c997a1a627931a4d21b6f709fb8d9934d140a10d8d87b00b7516d2fae0e257e34576b436f85ab7cdd0e4e9a4e515148471fddfc2382b8e8dce5d768eb29b311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
86KB

MD5
b03cd7efd875bc2ceec34ad7ca92b52d

SHA1
e73d289b6376de786c2970a9587c6c74cefdeceb

SHA256
e2287c1480717e8726ffb648206e872f4016b9e2431b2ec2361cb4aad5c06ed6

SHA512
bebb0492109caa687ea402a84b22dc19d1b84e49842c7b03bb3ec806fcb08338977bc6b2501f2c274427f79c745bf2c253b87dafa21e1b57028e4ea073243cb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
90KB

MD5
20dae7ebb6628436c9a4c99f697752c6

SHA1
99482e20fba7b3db22de8ebea10e2f73eaa6d1ce

SHA256
0ef9d0de89c201c55fa7c1da07322986a1f270f2b82acfd68c2b73f93f7bc90b

SHA512
933a40ab8d67ece788a4d033ec77efa61a1de95524b18ecb89e52ab03bbdecf7f6db36d9e75ae70933ff326c64ddace59cac0b9203c09cd3a24a1cc8c73a50bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58bacf.TMP
Filesize
83KB

MD5
423416b2bb615d5020ae4d33526ef5a4

SHA1
518602fad38c33190753a6905e6a6b91b0d1a7a6

SHA256
243d34dc7729b25621222f600c42d15ec4b9b50358f7853efe40066a8e612ce1

SHA512
94cf0d14eb873960099cabb56f5bdda09a6bb341d740ca63465c25579a2ce6adf5e838c9ee111d6a10d87eb372520584e1b4655f9aaf22bfe0f45ae9254bdc06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c4605aed5013f25a162a5054965829c

SHA1
4cec67cbc5ec1139df172dbc7a51fe38943360cf

SHA256
5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f

SHA512
bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3066a8b5ee69aa68f709bdfbb468b242

SHA1
a591d71a96bf512bd2cfe17233f368e48790a401

SHA256
76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434

SHA512
ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
317d9805b7b084531e5c7c79462d508f

SHA1
a97c8a1e64e6f885c2c66290db6c1bef1b7f1795

SHA256
ed17c79ff866ae5320fae37fb76fd16d3af4f34b8f961a187929122fad0ab5d2

SHA512
aed55b21d3a26d1cd869c0ecaff080590e290db9be5168c1c846754cc38b6549ebca599eddb1f659391fa8b087a7196b7dbfc6da31928c6d086ef0c367ce3f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b15e6497-b4a3-4954-9ece-b17b2aa63618.tmp
Filesize
5KB

MD5
c6a8e3e6fcc7da6cb8d09a4205afd87f

SHA1
355b1c92c00053ea49bf7d462b857fb1eeabb7e8

SHA256
7efe98f16ce93701f470a8c538a3b5b325b9e6112119f226f9b94f016c859aeb

SHA512
079dd98fe2bc12d735ccd54cc73eb2aa709f57aa9aa115c8aa2da9437d35ccc72b54241f48433889f363d9e3ed86a4a8a9871d2a6e5355d848b6dfaeb80c65ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d8b6c192e0aa0641d560f1e180220b15

SHA1
73aad24c4614cd71d741952f4a9126b0cd4bcc5f

SHA256
43cd5b4ec61e142cd5c609b2a30d0b6e365153aca6355821f22fe2b6a93a2350

SHA512
e2ad256f8f855ef8dab292dc4421ab2690002d87a845b37a5bd85d0e3bc83a61228895ea7107cd6e25bf3a6bdd8170c53cf559fcb6de13b956d4b865150f1761

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html
Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
b8052f8472e021780132cc95e1d34061

SHA1
79e4bf9a437191a717945b78c21e3222b12ee3f8

SHA256
c2928c8fff61ad2bbee1a2bbae6d78df23fbcfb8a0227f6b85dacfe946f4e715

SHA512
b2e0275925567aa6771f31646f2ee0774c79aae276f65cadc8b6de80f27a197df17c2bf11227bea96ecc0cd6f2c95c200f9d9da43c51a6f2c0de455cb1efae8c

Download Submit
\??\pipe\crashpad_2124_TWXCKCOZIWMOCMNS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3112-0-0x00007FFD94A73000-0x00007FFD94A75000-memory.dmp

Filesize
8KB

Download
memory/3112-9-0x00007FFD94A70000-0x00007FFD95532000-memory.dmp

Filesize
10.8MB

Download
memory/3112-8-0x00007FFD94A73000-0x00007FFD94A75000-memory.dmp

Filesize
8KB

Download
memory/3112-7-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/3112-6-0x00007FFD94A70000-0x00007FFD95532000-memory.dmp

Filesize
10.8MB

Download
memory/3112-1-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/3112-389-0x000000001B250000-0x000000001B25C000-memory.dmp

Filesize
48KB

Download