xworm | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-1-0x0000000000D80000-0x0000000000D90000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2044 powershell.exe
1044 powershell.exe
2372 powershell.exe
3268 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fix.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation fix.exe

pid	process
2044	powershell.exe
1044	powershell.exe
2372	powershell.exe
3268	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	fix.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643135111074079"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
3268	powershell.exe
3268	powershell.exe
2044	powershell.exe
2044	powershell.exe
1044	powershell.exe
1044	powershell.exe
2372	powershell.exe
2372	powershell.exe
1732	chrome.exe
1732	chrome.exe
2876	chrome.exe
2876	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660

pid
4
4
4
4
4
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exechrome.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4648	fix.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	4648	fix.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe
Token: SeShutdownPrivilege	2876	chrome.exe
Token: SeCreatePagefilePrivilege	2876	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

chrome.exechrome.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fix.exechrome.exe

description	pid	process	target process
PID 4648 wrote to memory of 3268	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 3268	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 2044	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 2044	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 1044	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 1044	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 2372	4648	fix.exe	powershell.exe
PID 4648 wrote to memory of 2372	4648	fix.exe	powershell.exe
PID 1732 wrote to memory of 1992	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1992	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 948	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 964	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 964	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 3112	1732	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ebb6ab58,0x7ff8ebb6ab68,0x7ff8ebb6ab78
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:2
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4432 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5068 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4660 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4664 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4200 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4516 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3392 --field-trial-handle=1908,i,7825806172332991054,2263165797126221756,131072 /prefetch:1
  2⤵
  PID:4408

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ebb6ab58,0x7ff8ebb6ab68,0x7ff8ebb6ab78
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:2
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4492 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4632 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3588 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1932,i,12046796314867580027,14323489149769731090,131072 /prefetch:8
  2⤵
  PID:2356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d9a49a7d6d5ca840cf0f0e937007e278

SHA1
90197e483cc1bf8970cb6012997b1968f43d8e78

SHA256
183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876

SHA512
142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
19c4ceae9b66ede4aa0b966e25ed6a29

SHA1
d15177a00753c6918b0a29ed9632471e290362e9

SHA256
908a1796b17c83dfeeb3d2164f8b42b9222b56737fbf82555c8a6b46b26fe1a0

SHA512
8de6b21feae1943092f7eec29a4eaedf97b1d5aaa866866f615da9dcbcb3e623fe14b2400d3537e7436e5ad19cc70a19f329f1f2c5d18a243b6473352d5523f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
2df8e0b51a64b0313ff134ba1814f732

SHA1
ed3e61db4f900635bc1009b31991d255e5ab837d

SHA256
011062cd7a9699c660d15658fc9cf326e35d1bbf85823f13cfd0d8ba1bcbbb69

SHA512
90b68243732bbbe07f5683bde862b81374de90ea39ad576a7a89fe1d61f6a5399220c06cb9650ae96f5bd5c92d5c40b75de5d6b043325c9f72ac3eb8b5bbab22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
4896ec04291ac15e2a07ffc284663e64

SHA1
1c2145ef6f8a8bc122795e0bcb9111e9526b020d

SHA256
b3a9e8b27b47acfb088657e8501921af44b703693d3743eefab18dd4a557248d

SHA512
9900a9aa30c6590d23685380b8774f481151d4d2b4ff22ae7b6d46cb7f7b72e7f7b4c7329ca1305a7af3bb44d358a66345217397786eb045d665dd4b151dd11e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
9db55efb861e4a89da7460fed46b609f

SHA1
f6571f99640b2a2aa934c9bb552ff8b7d6e78a6e

SHA256
88aaab4ddd005fc41c1d88afbf70e32e89a0cc4b4994b32179c5209683bf4ff8

SHA512
5d2dae4795514dbca4683edabd6608e1af6d888bcf810f58825d31a5e86ba8a2ce93002d7e3ccfae0bdf368bd84cfb1056beafbbdef776ff574bcc6a218c8433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
2fe8fd8fbb0d131ac46ce59100d85d3d

SHA1
734e2058fd48935fed76343551316e21be4cc442

SHA256
671e14f11c48c26bb7d060db76931d40797d30c7393733cccc2ed5aeade0af57

SHA512
039e4217f9e246c9c8bfbc56a7c73c1171e64901b9db8a8ae92154bbf6988410b0508947665a3bc6323f267481c530840b523ab23f467db2be24e3366a219e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
d99c41497199097024601ea735d54897

SHA1
967597de8a9b1f6158cb342e8563f1261bfa6db6

SHA256
e9fa886041a3b4a2f4f2ea2153496937e0f23bb6c4dc0489d6fc78d2de6c32ca

SHA512
7e62022e185abac96573beefd327ad26ef044774797b5a9852755ecfe671e317422c90b8282f39913b2aa36656a2a775958e70b8e2935c0141d7c23f90230d99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal

Filesize
8KB

MD5
5b010072fe2827e01db5f7836a9dcb14

SHA1
c537ca27bb00bffe4d740492b94478e6052720bf

SHA256
df49c00b701d160e5bfded403290ec370502c6c64a83542dec2ba1c46fee259e

SHA512
9fd29edc1a8d4c4af20327b94204013c1636588408dc9a96c0e901458f24a7be309078125fb7e7e592dddc3327c554aa771391f04d95e67f37e7bb165cf85ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
70faca97a63144c38d3fd073de8e0699

SHA1
38f2b975d7a1eaa64d3d8d649f191c654ede6d7e

SHA256
9ddac02bad8b5c58a8ec04bd9890a001bd58d1ffa3eadb9bcfdfb41d3ce88aa0

SHA512
fb532e09069d2a899e13315a63ec33587958dfb05c7318137fbdebdc601482350a512381276069a088859cff2ee3de34d0b8cdc9e41e9ec8358b67d212befcf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
92232a3ba5b6e00ea433e0b737a88f82

SHA1
9ca54888a5ad92dbf74f6bbf7894393ba16b26c6

SHA256
fb9205a0d29527329adab0829df31a716d97915d8f0c3662513f5df5c2699309

SHA512
47e0ab76fb99c7cb2915a59576e735dd6bce6a49bb1659ba808a5e660d1576f7ab159f5f6d10119628a6c12364f268bb4b4bea522132109ec233dc079fde10a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
da201d910fb3e60d10b00647390ace6e

SHA1
d9855950eb049cedb74ba50f92dffef1e7bf0f46

SHA256
42f89ff51e51d7ff288b7cd71dce1418cb4bbc02a623203c1c0a0831ebe22bc5

SHA512
dec6979059ae16fa16db2e938ee3a6fe9d1c44bce8f583462808eba236897340ffdbdd90d6d6d62bb389d51df952fe072027d601c322c7c304d2ac991fb05a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e899ebb0a1785449bc16343117ddd31b

SHA1
e2793477cf00bae8b32cfe02546eaf4f28c16ccf

SHA256
06e231d574d449ee96f0d38907fb22ed7352c7afd9575db798b4267a3ce38103

SHA512
d65352fe7ac064e1f3d62d8d2c6cb0b161c5e5602f8c995eb8e1c5ba28c7b4eb53ed690ed131593ebb3b25317cc3c78cc61af88c1f6dd83225bf0dbfdb08c3be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
967894577af12ad5fa251d6ff7a0f383

SHA1
9552486b8c774901e89aa946de1872671e90ca08

SHA256
73fe7996912fdec1dd99f9a671ae387edc8e7d48816296733e46ea1c1b95603f

SHA512
82815406ab6c8698269d16b4bf4898996d6848f761788b44765f846a0adda440cdfe20771c16ae4d7a6618030caebada7672c70fea7270654c36a4d74bd77b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
232B

MD5
8a30a1fdd0459d9ea8b1e78a8e636856

SHA1
9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20

SHA256
88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33

SHA512
b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
32e1bd351b1fc78e45930f1744cfa2fc

SHA1
b20a03a67fa2fd84e8b4b2dc82cb8e0e4db73a93

SHA256
aa4d797a46cbbaab22275d6bd3ea026ca82c82a9ae025b2f1e2b41ba2d5a8c88

SHA512
3e74b9597b00267746b8cb818659d47d5b743b213949d8e4abcddb91090847e89aebd027226c1e46ba63a0c8fefd64fbaa74ad84ecc120192c2f91fe1d59a0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13364313510220515

Filesize
10KB

MD5
6e8ac10168572998e4ee565d814af27d

SHA1
63233d1bef04e6f6deff0dd2dac3b9af0e855d39

SHA256
6c4fc81ae80316030c9d4b9954e54b96641a5711e0c6717b9330639641e4d5d4

SHA512
16dacfb05581bbf3508e5bf7df44108ad218bd6770ec0969c86e60128fba869cf2b70fa575e2b8ba3734120182ace0b091b4caa6d5dd918c8a67b8754dbb992d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13364313531257515

Filesize
4KB

MD5
d6895b4739b5f055077d8eb1ad15e26e

SHA1
0befa7715ebeafa13d170c84eb517ba05d52bde9

SHA256
5424e6a148591629340c0f5b7616e976d69b8def3f0e6d3794f3534087857ffc

SHA512
7863267db6ffce6d091b7aaf831c192c470d580367321a0af0b8a5def51a963cef744cdfb25769cff919fb4de34e284cc7b68beb4e4682a0ad6c4b42aa9a309b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
172B

MD5
2951dd80d668424c8bc30f0c4a279a2d

SHA1
e2ec75f46f0ef3d4fc993184ab1141fc74e7c5f3

SHA256
104439217eb1a794541cf55d9a6fe98a28d9f7b93273bd01bdfc5caabb9d2eb2

SHA512
858b5801186016f8ca1854fb74b42d445957d8d70afb4ca791cca6d7ce96d8293d15174c1a4720fa570c8f11239049d73a85915d0982fe3ddc075e65de1b11d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
b1922ccc2f6705007a9a76aae39c73f6

SHA1
cb3b19857413a90589e5d722bf94599b4d7c85a2

SHA256
139481f9b542e56117a6359714ffed327c9ca519c7f71dbd6d14e004e9c442d8

SHA512
36452e692391a1f81ca9d75a0504cbe3f6e414f25453f21b30acf3808469a464a550db65c5f42967d314bd436918a56b54d29dfe013e6fdfc25d8538b7abdc06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
4c8880e852431209a46d854cda50aacd

SHA1
133930a1e006db94c59ada72317e2e36b626ed30

SHA256
ab3e7bed83ec7df51c3b6a188245b92e29391c8d0255e5c5ce0d8032282379e6

SHA512
096582523a0037e3b8a2b6b2ce1b9ce6f24e6d61df313a628abd82140104d87f109511dcf9aa239f7ad6af7ce0293cac95376fb30dfbe4813678419ae959a5fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
e26de657403313850e49922855985cbe

SHA1
05a94c1bd439a35301b3138539c0ed37a532d595

SHA256
cc6bd197dbd2a3e865bf76bbb354fd680eef75fb08928131721c3a4ba5a1ef03

SHA512
5c0be02b06e485d3f2fb4c92f1a3bd77d2f99d8a8d5a8e7010cd4b6a70e471969b79118827e0c4c63213c2bc3d08a8291ba25f0de4f8f3b41938e51160c74091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
b9853cf5960421632f7121a86a281864

SHA1
abb898faa1f164125a213da3260d83d2229560e3

SHA256
aa3d09cfa760f86f3428a2d7be36a71dbc7f4e2e042d45f6608ea42f3f166295

SHA512
9e3d6af18a6f0f82026789208303c73e37c962a485a7271f1f9bf1ebb4a8f7d4311108c4344332b9a0dfd2b49fba041fbd8068770a1a8778773e2326533bc297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
616cad5e039c23fc9d81d4df42706555

SHA1
836a4238f93e32f2f8d3e46fb74aa98088fad913

SHA256
ddc8aa8b6bc6e6c5f843cd946b5986e320f582c48d9dab0968e3d4a8a6a70496

SHA512
a305b1a1d76e4194a59087bb9a5a609abaf53b8a78e7ac96c077102b713bcffd3c44680e1ae6f79baebf71bc6568d881fd47ae489c8339c7af304da0a96571b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
c31c4325b6b9099d3fa9c007ad3a16e2

SHA1
686046aae26ce5c5b75e807e48e11a8de74a73dc

SHA256
980856d398501a500254c358b46c06061d6f66f4f5e77ac049625d24500380b1

SHA512
d4c6eb6c29560e60052b1c24ece9a282b51a3374eca307ee3d6a824104b12fbc2f10d14f84a14830e13ed52252616320f2d10075da5d323a30a883ad4863f9fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
e078965da55bfa0524bd2ffee8360db7

SHA1
385b2c4f1d7e99e06f52289544312025d662d6a5

SHA256
0baefe420306eff60c1c2f0060aefbbdc4a96bf9fe647f6d82e83a402901c132

SHA512
29761e17b28ffeec016b616a3c9e43af7ab12f6254f42083ed1757d08fc151244c05e3daf068bcd99fa5b5b90261471e854e4acef103f5657b94ffc5f0f499c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
5bb001082e21b43d3a488cf87a82cc52

SHA1
4b2bea4f830b38012fa70b1c97e068d247c4abb6

SHA256
a79d0a048a8ad946b8beb7bd103d816d17feb602bcdaaeff00c848652d95afa2

SHA512
fbcf67e1e48db1f0e0032e41401f696b772a746bc42424477638797b8b7be32164607308ad8075ac63f9868a719b6944735036b30c8810590d959a4c66d38bcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
1ec95fe5d3b20315fafd4213be101e5b

SHA1
d1c0aafcd6506d6c730d9f193587e00b5d6a8e17

SHA256
440f0e483c86b2fba25877167e6dfc4db6a6dbda8bf59eced01d2a947fd042dc

SHA512
9137e6babec769ee11a3570093768e1d0e2dcf8d5bbf73ca363aa7552d990ed602d252699419290ed846d97dad37dd1dbb0e271a6cf4b8941dfd76f7e33b4523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
f972fb17fd35393d5c5ebea7d0610b55

SHA1
87bce7a055b76071de7cd0561ec40c197f5fef1b

SHA256
f1bb5dc110fb624807cde7b8f288c573f64191aee4a0b1ca84b499671634bdb3

SHA512
0e9507857fc76522928d2ae6fcbfbc72938982a6edbfad94e816934ee75cc3d7d87b1085fa887fcaefc96765062bd520fbb6e3308b046f9f3e8c69ac3c960e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
0bc80917fb0c904aaee2f2c035ca3df1

SHA1
98a8eef9a4d14ad5c786e9f2469ed170daa7cafb

SHA256
ba147be19898ea50cc704289b14be773ce62591c04bba058366417b439356e6e

SHA512
2c346005c4f947baee7bb5de3c9a0962906c99454cd38ef3d7b30b9407eb4f0b5246c9445d9bf126f4ae8769bdcb45f2b873626a034f6059d4c5264962f22adf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
5daf9af3fb001f031a9f913941fa01dc

SHA1
c08e25fd68a3689bc5dd7d2353b8b28bf6392171

SHA256
d15895902e53fa2c9f8b0ed9244979e072829fae2c1869baceb6e44effa9645c

SHA512
027fb3e20ac0249243fdd73700e34ae0597ef17eb5fc5b93c849d5eb00de334433c443c31d7079298429b3ed0ce08c12f88a3c3fbc65181195519a4d13ded24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c8f075601e2d61d386e9d680f09b5ea7

SHA1
cd5070b32f13f0f30740ace34162c0803a67d9c9

SHA256
423f7f393133da5bfa6941b53ee52357116fbd264d3b4d2480e28cf7418fd0a0

SHA512
7a82d90f06b0dac23e67ee8509f657c1bed86c8c9f4664199138be2a8110c0f06af1c7c5b659b51c9cd60cd409cd7ca5afcb498d96598d819607b8742c676e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
3949768298ee6dcd333f8ac9647beb82

SHA1
6b325a46d57475c2f0088efcf34658714cc2abef

SHA256
4a4668130961e7019d88284730ac0b6bd3a9b1855abc3c77caf6665bdd20f63c

SHA512
0c476d127167ef28fbd2939c0fdae46f403db69f67f1b4bcb4cc3c83ed3d55beb8ab7276f718b302f57042ebac208c9e14d647918d47d5aa4bcc26d08827b97a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
ea6e60354b61a9d62f1a0bcfd432f8b9

SHA1
f598436e5ac6c9cf042ab751e80c739fffac7cb4

SHA256
659a0eb34b709f718bcbf30cab06e8e491d290424694d7bc155218f2290ff8ce

SHA512
4f1818e4c7151ed5f8784a69f48d8c11e327cc9ea5d53ef7510529ef4991266301121f5bf70f2da84f9e0ab8d189a3aaaaa5901942aca39279d08139ea4c2838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iwbko0yv.isc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_1732_CKCIKHNVWHYCWGFN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2372-52-0x000001EBE9690000-0x000001EBE98AC000-memory.dmp

Filesize
2.1MB

Download
memory/3268-17-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/3268-14-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/3268-13-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/3268-12-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/3268-7-0x000001E7B1AD0000-0x000001E7B1AF2000-memory.dmp

Filesize
136KB

Download
memory/4648-119-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/4648-0-0x00007FF8EF1A3000-0x00007FF8EF1A5000-memory.dmp

Filesize
8KB

Download
memory/4648-54-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

Filesize
10.8MB

Download
memory/4648-1-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download