xworm | 8bf5e308b0177cdf90a1f265d253a5f793b18e4ab6c1d8d8e4eb17e65f62ad0d

Analysis

max time kernel
1199s
max time network
1174s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigge.exe
Size

35KB
MD5

dc402cf5b6e9ba34933a0da7802ff5b5
SHA1

de8c2ed0afafc0d61fd21d73763560cb71fc8fe4
SHA256

8bf5e308b0177cdf90a1f265d253a5f793b18e4ab6c1d8d8e4eb17e65f62ad0d
SHA512

e161bdc2c946df79457ef6d55a71050ea17d80acb7161de64348fa0a73e41a2b5ff08efaca2c2bec9618e29624ddabf0e65db1d2451ec846d6a1c3485b034483
SSDEEP

768:6oHv9ouQGVG0hiQfCYzZ4mVFy+9FmOjhbOED:6oHloqG0hVa6Z48Ff9FmOjL

Score

10^/10

xworm ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

modern-educators.gl.at.ply.gg:23695

Mutex

rXjPraooKQvjlW7I

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1932-1-0x0000000000960000-0x0000000000970000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nigge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	nigge.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	nigge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629302912055554"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
3620	msedge.exe
3620	msedge.exe
1640	msedge.exe
1640	msedge.exe
2560	msedge.exe
2560	msedge.exe
3704	identity_helper.exe
3704	identity_helper.exe
5812	chrome.exe
5812	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1932	nigge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
1640	msedge.exe
1640	msedge.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	nigge.exe
Token: SeDebugPrivilege	1932	nigge.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4928	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4916	2564	chrome.exe	81
PID 2564 wrote to memory of 4916	2564	chrome.exe	81
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 4044	2564	chrome.exe	82
PID 2564 wrote to memory of 3616	2564	chrome.exe	83
PID 2564 wrote to memory of 3616	2564	chrome.exe	83
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84
PID 2564 wrote to memory of 5040	2564	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\nigge.exe
"C:\Users\Admin\AppData\Local\Temp\nigge.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9464f3cb8,0x7ff9464f3cc8,0x7ff9464f3cd8
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:1380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4092 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,7333411262274861953,962186073909851744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94922ab58,0x7ff94922ab68,0x7ff94922ab78
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:2
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1296
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff66706ae48,0x7ff66706ae58,0x7ff66706ae68
    3⤵
    PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3964 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1704 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5040 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4132 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1512 --field-trial-handle=1796,i,3956231266697600771,8677942424348189857,131072 /prefetch:1
  2⤵
  PID:5612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004C8
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
68KB

MD5
f0c27286e196d0cb18681b58dfda5b37

SHA1
9539ba7e5e8f9cc453327ca251fe59be35edc20b

SHA256
7a6878398886e4c70cf3e9cec688dc852a1f1465feb9f461ff1f238b608d0127

SHA512
336333d29cd4f885e7758de9094b2defb8c9e1eb917cb55ff8c4627b903efb6a0b31dcda6005939ef2a604d014fe6c2acda7c8c802907e219739cf6dab96475b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
327KB

MD5
dd242f4737b2737ecad98bc2028b544a

SHA1
065a4e6f50f16e5986df7f582d4839e59c4338a4

SHA256
cc8950f8d690094464d97041d919cab9ec3af790437c6e3febb754e245171cd6

SHA512
b393c7f0da53d9ae875743cb564b223b2031767844db1de296b6e652492bc29f8e19bae002b66e987c00b11009ac7df0bff7a36d661f7846e8bd8c9a0957a272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
134KB

MD5
bb82f6b975721f7516c470271507feb1

SHA1
992a23f0dbd86734402fd9a29706436bc76fba1d

SHA256
495e8e7f53579ef9db3cde689bd31c4665ef84d900eed9f4a58887637eb26e69

SHA512
371f71a1b5376e5befc6fbb3d4cd1c2530aea5a87be2da08c8d0efad4b4aab338c2aee40880ece4442f284fc26ee94a8bd11cbd3cf2cc9f80c44a4e0ba9db036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000058

Filesize
160KB

MD5
ecabddcfe0c45f64ddd26e925333fe5f

SHA1
612999ff8391e731a3cc8167f8fe514648c98027

SHA256
52d990839e0039692bb07dbc83b206d8e5b0bec9fa5c53e9cbe95cb71d2a910e

SHA512
4e730c391a434a2e05d06d3d4280b47253bab5768f5fa373336817f4a1d88664b53d974e75a99f33a0c8ff1128d47c8c9fb99490f84d381e7a219c31c88464eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
05b9a306ee897a371ef3d2421c96718e

SHA1
61434138a85153cfe091dd39b4aff42a2e22bcbc

SHA256
fbba7e222664f4d8c4c3dd2d1d68379a66ebf8565b418d7e83fd2630deea2e80

SHA512
d45bbbe41361114382518e01539e096a04e6f4c3d2336b6b030daa7a1032f0b2d3f74ea139a1d2d3b3b519632551e59dd3a93c2543373cbab104f263e2096cea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
49eb63d23d3238720dfd365301db9845

SHA1
c5fe4198399e2df6009be29c85bb26b79dbe1722

SHA256
ec64cf4f4e8fd89ce7741d0509a7fa790ec3abfa44a3532cf6a72581f1e16899

SHA512
a626a336837d8781975001a756d1d4e3b02d7b817fa3115f5f71f1ebee5679850e70ed7e3a1f46bea233ec0723bdc208a75cbf4da8984a63a2c66d16d24fdcb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4b96c2396be33a5d581b77b08e3c10a3

SHA1
18332777aa3d8d4da09d78bdfd44d311a4473e56

SHA256
61c507ee31f1054d25cf96d38d2e99e282f9403b7dbc600e8bca75c1a6667ae1

SHA512
1ca803c3312b16cf4605f2835a8f08288f23238bf9a49be222a0783ac48d15533966fc44bbf080484d45375452eccb2ada3bea192ec2e532f48bd8485ba9e2ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2aaff34b307bc5fcc57199be038607e4

SHA1
848f68a60d4a5d3d7e79f1195aea8b7d68b5a246

SHA256
60ef8afe3d789eb37586f5c6ab49257f5069a88640c2f0316fe14486643799d8

SHA512
05e1e1d17b90a3dcbc29b902fb6d44eb58b2b3c5f19d70ae832318da1df5bc3ebcf90850ce3fcca32f7016a087084b7b2cbb7a0e818c92c5ba74f4686738af43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\53496414-7def-4cce-883a-8a58aedd8d26.tmp

Filesize
356B

MD5
fb21fef74334a40f8e9637e17687cd91

SHA1
4d28e82aadb909fed84fa1d97738d5da22893ea2

SHA256
571d494f2706daa6aae9e10a314e70a172ab058dad1f48de5603498064634f13

SHA512
55c895c0b51b8b7c46aadaf992d4e3acc4547776f5daf1219140f1a445a04913b01744d743a87fb6d803fab80f53d09ce3f53c522d9d3ee34296d8bd749b6386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
db0d5898eb2055a73e8ecdef64f826dd

SHA1
1292df45d161923682b1b50b4aec54a887f50053

SHA256
e4edd2db4c18ab418052b974c53f7637a7e6a65ded91c6e295d53fc066ecf566

SHA512
f9ace3840597c23b94870424743d8da8804a1fe115e07e5c5dfdf51fb0c7b6b576cd52b15c36dc62a1f31edf7bf7e9593a6a934903661d3da89dedd8f047ee15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a180f957060e3c04c6192102b47f1a4d

SHA1
b0586d0982229409b3c46b563d66d784550b2488

SHA256
1022600e033d3e45acb8951d0c4f62fcd0eda4efda65509abfff72830b6650ab

SHA512
51bf01bc6d824dba85bc101967a744cffc4c94f459f4820e3466c253ac98d1f08a8baf98b30e7f0b3d6849f9bcc4814b3645e734d0c0d87ceac820231cc3429f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
39b5964858db9a292cf65ddc7ab9814c

SHA1
42237911ed5d22edecad53ad2c05b4d769200915

SHA256
0243ccba0f7c5239ea36ed784415faa67dd753f491da41099b5f52d2ab1d7129

SHA512
654213c4e7dd6a8b0998fe2353ae74357f5bdb73a89926cc583f59d1abe98448de1b7830c1a60f30bb7d7aa85030d26993f24f42789d1571ae614a50cd996770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
61dbddeb792f681f705a018e88e23630

SHA1
7958a09c97876ea876cffde0bd761d5682e780b5

SHA256
8d5da3d25d3fe0b92ac34135c7a698601d0993a17579348f8001049021efbcc5

SHA512
e5f53f7775ede002c0986c8172cd958e6d40d5dc682d2dd0781e043a94bf871847762a09eb96271fa792f0bb29638662de63d4c4fcdcb17a1035f4dade79365b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
6a74b64ab777396b5eee2469458a9ae8

SHA1
ddce64a807b3e75fb9927142842323e37052570e

SHA256
39465d3b746517b169a28f1578516dead99e82e5c6119311415f78c18766038f

SHA512
4899b3d6d9a50786e404abf9d191e133880a233a9e5e22e976865f07c2d76a43c52afcdcb301538de7e4a8356a00aee65830a37cb8f1ca0fd6d6e8d87a8e4b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
8a6b249d3442a5247cce1ad6e17803e0

SHA1
232143009034f4ce0508fc435a747ce217e7a743

SHA256
22a81ce99bca6b859553b9d4729ef85f5be5035baa39e855cbd4e9fc86b6943b

SHA512
6f7ba85e04079b136353e8fe10edf474ad4b6b3db54b319f47f1358ea4a99fff7362680279cf6ac58ccc47ef6e6e7af6282b6c30982a814520b6c3fdb3f01ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
70d436df16bdc66bda8982ffa77e19dd

SHA1
0a5423bded278bffee05131292f240c7608859f4

SHA256
ebeb375df0a0c68b6ffa066de2ca76fd2368b78b0580d5a0250d9ea715c1e81e

SHA512
566af1aa1cb906391c987bfd85dd73535e614aeaa13ee372c2180ed869a75d63e5c6ce7f4535666be6d60336929bed1b7e5a293bcc86283cbd6687ad4d7738af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
6e0ace3e1c33a5f7bacc5d86c8d9d666

SHA1
b367e9793808ef9161421a8ba066c396449cfcbb

SHA256
4dacf755292eacfafb5ae6dfe32b945903f1c46b208617481f6c08d502dcdde1

SHA512
79e16dbb8073ec3a8709fc09a534eeada16f4e90e1d563662297106ebb319d703b6cd37a3f8ebbcd881cf89588d571dbf87a9a91b9e72ec1b6367b6846c0d275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
dc50792518292d37c380ef0b25ea3ba2

SHA1
43fff86bf915dd29eea6fc946fc6a5734349786a

SHA256
6ef67eb90dd600ca264703b2c29f01ccbce13a59a2b6b0e0ec9d9661036aeb94

SHA512
9ced84140ab649f5a3a39c1ebc021c82ab49d2bd8f69ddf70daae40ba555a8f3b8389ab1f666a5382ed3f892f6ffb587d2e85f5ff455181cbdff7c3175a2a9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
4baff7c4e84375578333b1a12b7a9f49

SHA1
8c270625b2c9ec35784987e059c676f9dc7a35bb

SHA256
6d834db5dc5eac264eded73f35eae7b134e3499067a979c7128aa7057e4bf984

SHA512
5fff206b2cb92aa88abef35f22aab0bd9d611fde199db5be65490eec76270519df5d18d074d1930bca4159d057ba737607c90228efb7e87ae18a9d57e442ddf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
d0d41b06a430bd50ab40dc79a9ce834b

SHA1
934ffb4d6c80327075d8cf1da7271b3ce2f30d6b

SHA256
b7916d2fea69d72c6aba713bc2c6a3d65a9c69eb25fac31499e283dc77e7c685

SHA512
41f1863b33bfc0c87d94b6c906676e667b887ff03a78c68b25d15824f704aa69137f8e96edafe6ef06a21b890a52c087eecaf0256c6762e130eba4c52fd1b390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
c3e6277d7c848017209e6db012ec8689

SHA1
5c5f0d4ad7d06df3fbe8983a0463fbbfedc66307

SHA256
fe5e9c4c3552060b1f29f36fa58bee8a1bae8aa3eb84b9e709129db6246145ee

SHA512
cc473777a078a8c42608e8037c3179f75b5dcaed792608d17b6ef5a00d5b6fc812f56939a4ed28b54bb5aeb3f7f09b2450ac4528484833de33f37e61796f4c0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
324ca40823f477f954533728a0215bcc

SHA1
a254660c593bea2538cb200a26b34c76f7b4c103

SHA256
334d8c6086dbe5a0cde87c7cc70ec6ff62e44ca495b75d64a561e02035e8e3e0

SHA512
78e17c5610e5a3fda4b2ce3ce3bf3466036c3e12840d9a464ece1138217fd335df0807224130c36df8aed45076b2ab1e9e186bd7f30cb5be4573c8a898129a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
92ce3d5047365b6e209e2d60902a6dca

SHA1
fbde36732ff975b0d4671472cb1c1cd153cda98e

SHA256
127be4909cecc39c4a4e9040ab146a623304f6e093cc99acaac69907b7f940db

SHA512
42f14b675bcf3b0f8897a10c2bdfbd4e71b6c7a3811208677fa10ccbbe14466bd0af90bded300b8d5183061a3e87564d6a360a3c35575cd07b7dd467f9f09c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2d3fd17e621960f1de631556b78e3993

SHA1
bb24f3a146d8c5e6fc0baf0ae9015605f6d0881c

SHA256
0289f1fbee62208adf863b96b324c5befc35e9c235cf8d0dc8a1ce48d6cbfa0c

SHA512
7c5de8c121a1a4a5b1efe67720aac4b704fd01a4c9e1a9a19ced8d7ccae02c16eb091b30600da35d335209793d2ea6988ddad9657a570196589389ee3658fdfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c7e0cdd95fb6adf382c8fedacee6d934

SHA1
3d29b865a4330aa740cb1620229cee5d9466d381

SHA256
6da3ca363d22f64b1735d952a32adef01b2ada3d2bab2eecb5724ece7be3b1af

SHA512
f531abe0d5f8bbbbfb088ab884e08e68322c7602dde901149184b127df97a1c56e49cbb2875d6e8cf45dc2ed61bbfddc542733a6a6670ad68be3c4a123dc5323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
40efa1c09b2775e8c8b384f5ef667ecd

SHA1
1d2d1f3dbb619e11538e45bab829237b4d98cf3a

SHA256
05672927c8b40ed470169f134246fdce565294e307750625ca61f7832c71fa72

SHA512
687d5d90284b104816d5b681eda5c3a07d4e5ed98608549ab9c49e42e3396dedff568a8a33d1a09db7fa04f2da41e1005f7525f0905cb0399cafafd4d3a4569e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
40be5b70c6bb060ac7d192c6414376c5

SHA1
f6a4a3d805db74838ddb72c427df1937e739e620

SHA256
6e702efb8b918be60f7f42a7008a8782bcf06b1f6aa3b2f6f360b7cc91819f18

SHA512
c751b0930e65bd56695e0e2af46a91069f7f5303685c59487aabea9a74aca4aa5d5e04f8a081d5a57837c7db535d8475d4ab705e545a43b820780bb87d69e97e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
df7c0dd4363bcd076dd217416e62d6de

SHA1
77bfa9a85356cca9be4502f24061454d28a1faba

SHA256
749b1d977a48b483946a75e3b0e849fbb1b861a141d8240e04b63aba6c2cf03a

SHA512
4349ed135f2d4f945e164ba33d9208aa89facffeff1b33a0f9f78d5deb3ed7dc1543c1ae0a6eab839512954e838f24bf6cb25be72be61b6e39eb2dadae318eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
16c35fd4bdd1c31eea71c0d7c1217c86

SHA1
52715398c0ead1ede528ffb91ee1d6a7679697d7

SHA256
ff6ff48b6d06e8fb99f0e488bbcc3b582e711a6623b2fd4bdf01fe6cfec9c6d8

SHA512
6d145a7eb97104de122a4ecee41b30a7cdf63337b243063a07875469e540bff4157dff7bdaace1ef57c0be9b61175266e47e47b119003e7af47b74ddb58ddcb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
8c8fbb8cff00d240585f7df9898caf00

SHA1
752129e3f6f7e328c02086b6189560089c3fe2fd

SHA256
4fdc10bdeca77a1c0509feb0488ce2c9a176255fa732dc78c0f57c8286e4d6d8

SHA512
3f53d410866ceffd1d03b57f99ef4d1d045c4b5389d032784462965693893b37cf2e2d65bf393389eabf2f11750e655a66e8b24caa2c215b3efe4a8e86b28116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
5cad7ee3a24aff821e8433c90700bc85

SHA1
802dd71ce00784841612f2657d0c9fa8ad2916dc

SHA256
2ac3da84977c33a1224f00676e74c375b02850ec31f77473394f0882eb47faf2

SHA512
41576ee93c12ca77c59d2e89f0ebbecd84a4b7d324dcf7f37183009d87cf05d59b34920b940d42549e2c8a3e297619c696956eec74428f1679c626aa49b4ec94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
84KB

MD5
ba1cc21810894d5f939d5998ff185cee

SHA1
8e15b2d3f67c536cdb4937f98f400b832394f0a4

SHA256
4e244e507bf4b624209602c54cacc9dc893e4a9b827127d8960c0838ae86f6df

SHA512
de048cfa2765b1dce05e4cafef4e7410edd5d5ee081a8f4f6bdf4ed4cd27987e3bbb212dded61f129045d72e547939121e83bd5886fac2b8b62d3e7745b86c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b030.TMP

Filesize
83KB

MD5
7e9539854bf94f40ba2806e360c9ff23

SHA1
9b67cd6438b61c29b4c90a87e37ea0f090433a8f

SHA256
0d39960c6a971515d5819f70c921a60468f285531c546fc620abcee22dee8936

SHA512
9ce54d004a26fdea05acec755145fd9a2f6b2942cc1678bd64b77c1354d0e74ca8ac47ebc9cada22f06cb5fbfe850058a60bc6ee4c108a6ecc27a47f5b068998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e3b10c3b9bdc75939d265526106d6b9

SHA1
d774f8018cc372e6ec0be91f9a77f4712c8302ee

SHA256
e89d94e03b3c509d495df0fa8de352a64153829211fd24bc953b77d0708d40ab

SHA512
61d275eb4f25a2ecf5c2602c1714375c54dbf695c872e2ecdb909b4b7659f997c2b78564b655f58f4e9e20bcaf51f392912b298a872c116b9b2ee8cbc7455d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0c380744fd4c2c551641511b9155d84

SHA1
9d3197dd4e5284b93a48dc7368d75bdafdb55633

SHA256
c75dbefd354cdce69da3c685a9b3866d2f4d839bbf7c60ead38b3e56bb6417b9

SHA512
44d140584cf8f1160e3e4ab681c4508a700a6514db2ba77ca4839e293162db63c2add4579359345e7364f5ed866afc22e441d80b2fc183c250ee4b84f3d0aac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c3025d57567a9f95ed23a74ea1bfd43

SHA1
6c9663137e794ef2d7eb46a3511ae9e3f5a6636b

SHA256
8e6b3a971b9f871d349b6c81a2fbbb085245cd8d934419553da5030c7a5d571a

SHA512
abef5d124a8c5f39a3dab16182b2ba4ae26ae660d17ea3c63ed993b551ebd0712fefeae434a5210209053290c449115e2f8c3ca140c666173135068fcee4d444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9a7af7f1f08f7de9da3ba647286ee5a6

SHA1
d7a23961ba5f8c4242a03f20686ff516c2ae432c

SHA256
dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b

SHA512
64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
35745802ec2865acb4c60e651e5a8620

SHA1
f10c746a71c2741790aa3f5160ea7d9be1a1920a

SHA256
ef386e977e9fcfc811f2710d0d630e23e2278cf9811770da0c2f10f3965b7a63

SHA512
0031f739cafa1089dc655a3509bc215fc900c20734507a1b0b69f1ad1567fb2fe4af725360cf952a4689e89973bbd59a53ea6ff8bd6c4c67b9e732f66f14a42f

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
8680661a04c6cf0eb8388d523b2e7901

SHA1
bf5572f0c717a5d566b7e8c85e77a0f2900e0974

SHA256
1c17611a7b4d412c11a2bace0c04bb6f23f0cc11665d20d36641810ec347a317

SHA512
09034836c6143865dc4b5adf3016124640b705979ddaf3fa0d8dd9bb156b6be9bed665255162a985b7bce4afe881007a4aaf395e37be762b2d65b1d15fc059a0

Download Submit
memory/1932-8-0x00007FF94DE30000-0x00007FF94E8F2000-memory.dmp

Filesize
10.8MB

Download
memory/1932-955-0x00007FF94DE30000-0x00007FF94E8F2000-memory.dmp

Filesize
10.8MB

Download
memory/1932-7-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

Filesize
48KB

Download
memory/1932-6-0x00007FF94DE30000-0x00007FF94E8F2000-memory.dmp

Filesize
10.8MB

Download
memory/1932-540-0x000000001B570000-0x000000001B57C000-memory.dmp

Filesize
48KB

Download
memory/1932-1-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/1932-0-0x00007FF94DE33000-0x00007FF94DE35000-memory.dmp

Filesize
8KB

Download