xworm | hxxps://workupload[.]com/start/gFqkAPLZb8p

Analysis

max time kernel
372s
max time network
366s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/start/gFqkAPLZb8p

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:48480

custom-monroe.gl.at.ply.gg:48480

Mutex

0wLt41S3luUixaA7

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb0-78.dat	family_xworm
behavioral1/memory/4540-98-0x0000000000950000-0x000000000095E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4540	nightware.exe
5104	nightware.exe
3100	nightware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752168832743582"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
1328	chrome.exe
1328	chrome.exe
3692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
724	SU.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4720	4824	chrome.exe	86
PID 4824 wrote to memory of 4720	4824	chrome.exe	86
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 3732	4824	chrome.exe	87
PID 4824 wrote to memory of 2112	4824	chrome.exe	88
PID 4824 wrote to memory of 2112	4824	chrome.exe	88
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89
PID 4824 wrote to memory of 2060	4824	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/start/gFqkAPLZb8p
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8cde2cc40,0x7ff8cde2cc4c,0x7ff8cde2cc58
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5144,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5152,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4804,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4524,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5320,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5516,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5600,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=728 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5236,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1116 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6036,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5984,i,2367910650296090377,7242486483402545118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1944

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Users\Admin\Downloads\nightware.exe
"C:\Users\Admin\Downloads\nightware.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\Downloads\nightware.exe
"C:\Users\Admin\Downloads\nightware.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3692

C:\Users\Admin\Downloads\nightware.exe
"C:\Users\Admin\Downloads\nightware.exe"
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:2652

C:\Users\Admin\Desktop\simpleunlocker_release\SU.exe
"C:\Users\Admin\Desktop\simpleunlocker_release\SU.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\47002cd3-9e8a-464b-bc3e-840021c86b00.tmp

Filesize
10KB

MD5
c3a07a2299e178a59c3eeec0cd6179b3

SHA1
97f64d8f95f6a3c8679902f3db4109e8f38218a7

SHA256
60065e28ffee353f5c982c2dec702f75824f7a3ec6b846a7955c8df4b614a4fa

SHA512
0c771f516ee2a16b079b0bac9c6e9c32a7cbbfc3cb556e0186fe91ebb8603051c3b35ed13922e724bbe9722ae5c0a8a9199dfaed6fde2006588b0313ae8b4d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ca4afbe-9861-4e57-a202-3b6ce8aec0f8.tmp

Filesize
10KB

MD5
14a0021f03b5f5def34b4f04b2b1e8d1

SHA1
7016ca72271e6189ece655c09b0401b298486c7d

SHA256
ea34eadd81415cccc9b67781dafdf94215f72460737d48c41491ad39e3c720c6

SHA512
2aa930cdd4ff296e373c11c680f0033b037de6c7c2e4b91588b4c76ee345adb5292e0e8c73845f54e4285b48368ab8f41091320c84685d89cad95d07b9a183a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4348dd7ff9f47126305574fc5068f21e

SHA1
16222fe3910554a6534813a4969ad66d7513b07d

SHA256
b5b2f51234a852b0d68d49dbf71b172332510ec22a4200bb2c8b5da4c0fe9d29

SHA512
aa9444aae4480440801246e5051bed0ad58080b354c5e887e3d1c3f56ed2985fac86d6affe59237f35094853ae6f10040dab869dd2d3fa37754330f469b2e093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
33KB

MD5
bcad6018c1743a2a2822a8b8fd532f9f

SHA1
2cd27ff0be686a206a96c96d245d0bf5559b8996

SHA256
24078a0e79b673be45864b24a6cae1b13a856db53baf8279f616557bce9359d2

SHA512
dd0a2b259bfb5941ebfa7f8f3bb77cab5023f5b1cd4d6800252660177e34c0de4840aa83896713ebe1a144fd36fac2d8ab1816e51241b6c5eb204edb360131db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
25KB

MD5
30514ac71bfd507d5c3a0c8263686caa

SHA1
82b105e3055aa1563a8de1323812025395aa1988

SHA256
568708dac26708072b855972f51fb6958730dca798a7365b0bf921251416e80b

SHA512
a21134b8cb6449371578fae977e240421fdb5075fb654583172fc6950d2bdd02d4d4cf7cf5810f6b37fc902308304711f3216ed6840a79724701efa9d6b16b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b7c96da46f00f45c81699ec331e71ca5

SHA1
8181df1db6d841f5b55c9630de6720115037d902

SHA256
2ce8f28f7faab67133e3c057a8b63c38f107861240461f82740cad6ed14d3c43

SHA512
601b4597887cb679f3bca486f111b5d58ce87ce86299ca015c5663c34569a9ce46a9480c9b70ba61e8388b9878a770f591a98959dc7b494008f0ea55e227ab13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8bbcb4e6aa39606e1cb7b7d4f51a8cff

SHA1
de72140e90f40a99e038e1e780c9825ee3e3e0d0

SHA256
02aff82b1894c440d1e465f08b595114ef5b499acf3872a0c39a20cddc2228a5

SHA512
3b6ac0ca5ffdd2d34e5a9b91a441a9e0849cf04a2688d4c5896965c5f2c78214252bdbe2a70f124b300b16e517cba512ffaa97d480384a699048f64d733a8103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
ec51d191c21cb8e570948aaea86f788b

SHA1
d5b958aed48e12272e2d78fd6ce865d8fe361b3d

SHA256
90cc3be9e5518693b87a0559d70a3c582899faece7324ee050d6c0a65e7e8847

SHA512
7e410bbf6a2de15d6c14084376ddedbca8f4645e0e950b6117796d82beb3870c299b54f3c717829dde861cc7ce833b64ebcba0fe9266cc3127924be17160b7c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2f8da49a86bedaed1e3892df46eae3c5

SHA1
f531568c6dde49b9eb1b58affbc48a32f30de873

SHA256
07a3e824e64d6aac9dc61bb993f3cc6fa44685776c6605515544eaa652eb31d3

SHA512
70c6df89a6ee18bb5d757748c376c11816edc678382caf08b1fe2ade719d499dba8ca75a1ac2c27918f113e25f60f90f5452ebf7e89e501f16a86ccac78524e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
e4b5c7ea55f2a590412f5feee707dda6

SHA1
612a9561981923957dbbbe967dc586ce7944f422

SHA256
ac6ea13111ba588061f5abc1dcda5b6968a21d944ed6034da2b22e57bf93836d

SHA512
6dd748205be6e840e0d5bdcd4366de03c302f4055e6d294d2b6d1ec22c9dd1e539777a5ed27df9caf812807e44fed6968e11d8a9586a1bbec055d4fb75a486ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4d974e1789a71c0fc673e6924c38c16c

SHA1
b9135a905b13c1dfe4242f02527ee399772713e5

SHA256
1e7096ebfe90dcbe13e58211dea54eba8e17a8abe86e1887f80aa173606d2207

SHA512
7a0a14787f161d0d4bb3c103e6445d3a96fbceb05a1966a3b02c8162d9844e61675860a568c48769a173181e335f3fdb76825d520bc0cc0a8b396f3f7eba7f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
67819c675a3bc348f219274fa773a8a8

SHA1
dc4462f32483e24aaca6295f6bec6efda25041ab

SHA256
cb45d2bc70ff516fcf7eea0d9b1cd85c1aaa32076df769070fc4d99aa12215cd

SHA512
9719857f5cee92b7c87095a7781cc85fee2c61106ee5ce31648924e5eaa1a4bab6b98d70333233c7439b59d9667542faa0dd96b6854eb9414a263f310affee10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b5b84db026725e335e8a584ed160f880

SHA1
29104c808abdc8bc015dad9055cad2338e1aa42c

SHA256
e637acfb150a77a4106e4d501440168b04551e6f3fd860e5a010d181c508372c

SHA512
8522da462ae9dc85d5130758de95d1824f39b748487462eb14f1be88d0c3b1402d6308f118670db4269a305db83a883b1a5fd9afcf0a496d15c5938ae0b3a07d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c319ca08b538c441c35f0623e0657bb4

SHA1
adfdc2f561a99b4d6b3b9a89fff36621cd23f2b8

SHA256
675069ea4b1b93b291908042455f16a2b31dd6ba0b815a632af46879df572bed

SHA512
9b9c8b065abc296c029111b53e408919e4c13b8b16d0567540691e92b2c06bf50cbcaaf4a73edfbd1a0129c392e4312e6ddc73cf17112e9e5ac7d2ccb269e48c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9dd67ae1d52d895b672f920660ed453a

SHA1
c2b2efca9599830aa4630b057a28c9aa3e930b9b

SHA256
782fdcbc85bedc98dd75acb8e4a2a71f7b38305082947701e184402cbd527974

SHA512
5d3127848bf3bd4ba418f4e7f55ac01f78c79b3e5769b256f5f1a2d8d50bd203b371a3adc42b7edf369524098f7d3ef79234dbf465394c97efcda21bc0d91d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
95fb3ea65ac99de4899922941e6c47ac

SHA1
ba89a9a19499ee8b0dc447173325567796e0ec47

SHA256
fc329fc9013796e3e19127a9f83654a24f5411dbb7d3e0ee974fd2bc0e7a820c

SHA512
49fe3bb67959327425dfac8bee90e0c172a9ae317ca45de2cfdb8f4f3631602e97dc3cfa38460e49e58f17301eccf2d0dca70c035ee985ca1f70f868b484cada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
235032e9032d55899057d6f6ffd4e721

SHA1
aedc4b64811ad8d7246dec09dcbf9addcaab7460

SHA256
d9fbdda401fb73b530f4939459a95ce79b54df524bfa8096dd7c09b44426311d

SHA512
d6c4017e95c96b8105dfbc68d963a75cd9f381273e5d98a85fddf5209fb45a4c9407de57aa71b5a55faa3a9df785d3e8545375507db240e5282e10821965a66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8e4b9b533b811a9356ef5f255e7d306

SHA1
f6045b5ba220d29c3c6ef1fd3424f47e5fc59561

SHA256
853db041498ea58aba15a8bf5c86e90780312e355fe8a61bcce80d41a1fb4c97

SHA512
548a87adb6890158b87eb802b8127e9444bfa900c4203a3f5a93c4c43243c5ed8dabab3890e2b431e4e36889b28bdd3c1daac4906394a27ca2b77f7d4a05f98b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b062cee1f50694f00937e27223d20306

SHA1
080c3e50779ac1c5fc7adfa70a28b47be66717ca

SHA256
ad1c20aa970b2572ab62c1e006d33bed131c44ba1c78173e601def6f45f6f2b2

SHA512
cd9cf3c0176b8b64aab2116841559b9532665379d2f309da1f45f83a7106f7f18585757cf6e2bf74c0a94a02c7a761e03d0da4235b6dd7b97e6439345a73fe88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8670ae76de5943a6e63176498e62e723

SHA1
9d51165871494f0c191c5d76f9c47d99100602b6

SHA256
7c038d4cbf096ae6dba835fd1ffd1ba212a2df3923c01f186ad24132d5eecd36

SHA512
ee2fa3f08967f7e37780df0d7f475c5d19d35cfd48e046d9fc78fbdfbab89ab64647ce0578780ad323827bdf82e6214e2202e66e27656a1a98d4b4139823784d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
46dbd5d372dd78b61224d054a3d3cab8

SHA1
23cce9d602dd67bc0d671eca7b30a5ddcb56bf4e

SHA256
7f26035545ee5987cc8346f7530463c983610612b5b9f009892e03c0dedbdc15

SHA512
a3484ee2defaa969ece4bdac0295c5ab00107bb984c0162813f33b13edf71d4da2fdc3bae98c249f9bc7b9170a3f0d8a0c544ff482e831fcde8c1e996b232084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
de3a412e2115d27830b4e78d0a38cc54

SHA1
81219527b3a28edc57b2cf27c8e3f80e8b68ba9f

SHA256
7c3a90dcd6d4cfdf085705411615e23adcba2c167cf31e42bc44f49b3d0dba46

SHA512
01c39833b2167af83e780e09b39fed3a52e58f8cc25fa521e36133e443b9b66c55fa73dbe1427e0be5ce187c3ad5186b03af20181413e589f23c2422bfc85097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ceed6983d9c7a6a142bff9b4942f4045

SHA1
1a7143ef3ab9cce60f327f63de18935e39e9044c

SHA256
fe22e8a9a624cda94df78ed864150184ea85a8ec24b6fa99f0627fb9c4c01793

SHA512
79742e97269aefee0aa8d3ba17814ab3ddfd72fe4bed0a400977c07381847da653a9dd75e41b83b5e8609bfc959afba3993834a90b78a689eba5d51e35dc9ca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
387cd181d489f63d4836788f8ddb9d07

SHA1
8a171c154b5f9d556e2d67353a17086fa33cfc39

SHA256
52ee1ebbe2fefaabc3729fcc774bba7744d5ae1ed8f468185761b30ff4623168

SHA512
7c4d760a02ff5d7a70d9c5f5898783ef329fd4ab7b9de4e0eee7bf80eee978787ab117553e05b08d6be94a7a8b80eb450eaa40385ba8bc0c9634e65547228f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b2aecea81fa7e5d5cef7d327905095b

SHA1
a3c47682b0f86da47b60849267bdb844f9ebeded

SHA256
b11278b8d1a6526513c64d7ee4bf2f821c969f691b0d8fe070500b1dc32b26fe

SHA512
935666a5a9bbf1fb26cf59c587352da550a2f574dab227051799997249576e79fbd7339234fb848c819298c818b0bf290860a32fc2e408b7b31f779e6c166bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bb43ad1116b4900797ab32bf69324385

SHA1
1ef31b2658ac320978643287b707bfd69f49da66

SHA256
a8f023f6a2929317592cfb427b18e8d771a3aaa5798cca02c2e6c1cf033b750a

SHA512
06990e2f6cef3d91de8b2ae854c0c2615aba279411b9bf27c262fe4b571bba9f961ee88dadb1861bfe5da06c1dec9abb113c2e19ef9f21ff30f6a8e75c0ff79d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e5b94ff80cc20bae1455b7ad1b89a93

SHA1
65cadfb1451747bd1567d3b933ae888843f901dc

SHA256
c3b10087dd21a9807c34ee86f216bd224bb1315ab6841fe0915bd72dae074820

SHA512
01db78e670dc2605d6bb17903d4ca25669418a000eabcdfdfec3c4299aca68bb468e7a9935d2e7bf53de2bd7553aa8c74196d1f71d33321046da5a083e5a2ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b13f41fc3b6e7d8930bdd38ef1c04bb

SHA1
51c2c04b0cc34e681c50d270858cadab2fc5f4b3

SHA256
90d83514d2d2e325197a960e0e6a169ca8cd3128763cbd5e1bc4dbae7beff6de

SHA512
9b1d0663362372c7368887afd2469d24e6bc3525b4e136df23ee87e2919b8aec18c6e8f663c32f0a5e4de47016f26cf37844ec62c69cbe1a791fce4d462a2de2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0c6bf31d96f86c40463031796644b98

SHA1
dc64060789f8fee003928b860860a87e0f69e008

SHA256
bf1032bfefb0925d105af8c48715ab6f457dc091e273c8a6cb75b085cc624415

SHA512
b4a7fb7f6bb0703898ccc3a5daa1c2baef6a74418c3697a7e88de556cd12729b895c671d0f857ca599097b92b078b3ab63cf2a37a0b60524c4695b1fb58dc0de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfecdfb5a8ed6247c16f236d6c5d0c71

SHA1
d0078e52f854f2eaa1ee8f0a493d75cbbe35bcba

SHA256
a9f156f799f23b8d43b94d213cd08a13fa768b8b1d744f8d897fcca33ef8a278

SHA512
b5ec0bd4835e3f49e347286723130b50260dbda29d1ddaebf34bd66fd556a28367c81c72473df95c9814423dea81a187c4b9fe73f713d17c51409507b25cef49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffd8ff5b890dae667d1016cc5f986ae1

SHA1
7c36446bda6ebb1f7997d08315f0953dfabfa688

SHA256
5fe13c5a0b96372f3374dd0a87af11d851cc1c3c07e7c37c07caf6c644fbb5ed

SHA512
3aad8ebc2088bc8519a31d8845cbdd6fc59c855b7f480b77a54a80484827b01922af74c8bfaa4dba3f0d8227859749d9be3a19461f11b34de3190f4cc005310e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1aabc7a19df2e0b9691f76f07400aedc

SHA1
c0482d58d020c51f9452852adcb159334216971c

SHA256
3c081dbe0c3e992b5967929ec4bcf366670abd61a1f9af05125056ad99f9789e

SHA512
4172f39f0deff329df44dcbce3a80a64c1b828a41bd1f17016541bbda55658010d69034076800a646b9c445a3f418490fe7130b7549ad401bd1bdf070747eae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75694b8fba90fc63332fae6b975629cb

SHA1
c905ccea6201ba11fd6d1a24f57ed5907a2d0d85

SHA256
cf9dd379e221f0b407871d161008680280544f0b72123c684da548a7bfe0b825

SHA512
1fd029c931465746eda1327956ea71be3b84c75e41f0df1196cd113af703803fd25b076c9cb944dfdc4d02dfbe1de0b47c20cb5446bfc73b0722352b8a5ff5d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f89c59d03a8a54ee52eefafcb72737aa

SHA1
dbb31ff0b675dd3f0005f84efff9b780e6256510

SHA256
33506fd6a73a1fcef047973aaf49ea6cef3ddaa0f1eca6cbb6f12b6aa344a510

SHA512
161808477f664c36eb439e1bee52e3bb3db70919b2120d13f89666474621c0abeff569956ff5864d9b693a6be6c20f4b49e535cc50361c90ddac70fad53924e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a54be3886a15936ca1c1c8e614b6be8f

SHA1
aab717806286be3efc5b54f94e9b14f08321acf8

SHA256
b6f95cf8015d5eddcf6fb5a9f624b3d466804491151140689b9e16b92885df30

SHA512
6aa95f7d2fd7826b27c1d649007202bbb0cb2e057b16dcd77abffedece2823ab0512b720e1258953720dcfe97cab1ff7fa795adc1f3f887c686b40d361342957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
934004e91be355a02c15c461ba4bbdf5

SHA1
b235d985257145d42afcca4068096e935b23485b

SHA256
c2584977ab5a1fbc451fcd3fa2666309f5aa1448f2c242ee2822d1bf8c264767

SHA512
f4fd1d9fec1c371abcb48339ebe93d164ced5dfbd54ec9a16965373fe0807264525991c11af16f26ddef79827d42066d325861576f02e8ac3c0aca8b79f2a854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17d5894fd2a788c506d31bc9ae374d37

SHA1
6f5349c99e7370816d421843553dd328582f5199

SHA256
f1efbd59d21bc554ef91d15541069ae51ab9e9d7689759cf2de717e769d6f0da

SHA512
7ee0e296529c4ae7d6dd97d5add66ff955f27c3ca39891abb765cfb20cdbc5f7b952da97047d35369e429bd2b5bb39fdbd9ab35af18f261117e478b692dd609b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1907721fab084744945c192999beeaf

SHA1
9e4e1f238e8fe06a86c5b63f00a9168dc46afa14

SHA256
2395fe52848febec24ade2cf43655858955ac930e29b30e6be8514d621d0cb70

SHA512
e09bfa15c1b88c0e969279ac71e9ded1e4ec41854df435fb00ad086419db2e03c1ba881d1ded8e8ec6a860c631f30a49e011461fd254eadd607353e4deb43309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e319437f72e226598e3077721f8ddcaa

SHA1
1e9294f3d97d18c000aa1346bb6cd770a9280f9e

SHA256
552e0329b8abbc7ce7ce53f5f77dba3a75af5aef5e40fb55ad2c3d38b71c8fdc

SHA512
f56bf73b2c71d12a10bbd1718559d5bd8bfe55ac751ed98a462a7378be0f91a091d188f913f9b82008699dc697c5ede2c86a86abcd678b0097ba4d0b2d616e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
705c32e5efa7c3fb4d5b767214ce18d0

SHA1
649d6c8abaab1d306c07c401cb4d1cceedf4e40e

SHA256
6c0b66d7ae4ebd7faf1cf96202685b905bfebc25dbda7b707532257b221ecc09

SHA512
b030d620a6f23c158166103894dc707762968f38d26c42c5340c5a56820993987873261504ec5f69fefb7a33eb567642d52301a7616f9f62227a2a1f7179bcd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
305b3c23269d23fb5092b4aee71b2883

SHA1
ee9a4c0214f6ec8d8031212a061f9fc5c65b0d29

SHA256
533b4022a2b807c5eb527cfc8f6600588eca4800e09d7e87a9ad776a69065310

SHA512
41d106c1b893c43c747b61080ccffad8b8f9ce8ae845d8bf504db71148ea07e97718b248ea236221b660775a80cbfa30f5fd868712e4b66c64c9efadb92ee3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
6b46eb6a4449b67bde9c86be01c96b81

SHA1
7b4feccb6d3873a3e304ded1c092c981741e9cb9

SHA256
d024b348f513554e0026d58125bcba8b89383afe77c01431610eedc38f012a61

SHA512
98ac0ee7e4b78ba75f6755cc9d5e630f57fa68ba6d8b73a7c2849a56aa215a20ad1879a0008fd96e77d77b24e915509f440cbafdd2b89ce2563af3ee2bf41699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nightware.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\Downloads\simpleunlocker_release.zip.crdownload

Filesize
1.0MB

MD5
73689b4624afada0ed9e96d36ebd49d9

SHA1
bb37634ab933864c0c188e48431c926631fffcdc

SHA256
d60555269a7aba90ed5826f2d9ad4d71a7ae02e455cdfe72da46af824e51c768

SHA512
e15296c8197136c2ca038176278c237ecee5658452eadc3dc03c60b0772fa0b3cc17c84b753ecb74625a8db551fd1959f4bf2a9547b84064496d28e36628fcc1

Download Submit
memory/724-499-0x00000164F6AE0000-0x00000164F6C16000-memory.dmp

Filesize
1.2MB

Download
memory/724-500-0x00000164F9050000-0x00000164F9096000-memory.dmp

Filesize
280KB

Download
memory/2652-220-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-225-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-226-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-227-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-228-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-230-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-229-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-218-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/2652-219-0x0000021FAB250000-0x0000021FAB251000-memory.dmp

Filesize
4KB

Download
memory/3692-141-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-144-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-139-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-134-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-133-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-138-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-140-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-132-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-142-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/3692-143-0x000002675AD50000-0x000002675AD51000-memory.dmp

Filesize
4KB

Download
memory/4540-98-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/4540-97-0x00007FF8B9523000-0x00007FF8B9525000-memory.dmp

Filesize
8KB

Download
memory/4540-99-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-100-0x00007FF8B9523000-0x00007FF8B9525000-memory.dmp

Filesize
8KB

Download
memory/4540-197-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-119-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

Filesize
10.8MB

Download