xworm | hxxps://disk[.]yandex[.]ru/d/DrhbppLJwX0FQQ

Analysis

max time kernel
70s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/DrhbppLJwX0FQQ

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

answer-walls.gl.at.ply.gg:52820

Attributes

Install_directory
%Userprofile%
install_file
OneDrive.exe

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00040000000232ab-159.dat	family_xworm
behavioral1/files/0x0008000000023cfa-165.dat	family_xworm
behavioral1/files/0x0008000000023cfb-176.dat	family_xworm
behavioral1/memory/5084-177-0x0000000000090000-0x00000000000BE000-memory.dmp	family_xworm
behavioral1/memory/4296-180-0x0000000000400000-0x000000000084B000-memory.dmp	family_xworm
behavioral1/memory/1688-182-0x0000000000400000-0x000000000080F000-memory.dmp	family_xworm
behavioral1/memory/1092-220-0x0000000000400000-0x000000000084B000-memory.dmp	family_xworm
behavioral1/memory/4748-221-0x0000000000400000-0x000000000080F000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 6 IoCs

pid	Process
4296	Loader.exe
5084	svchost.exe
1688	Loader.exe
1092	Loader.exe
2764	svchost.exe
4748	Loader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
209	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757021965145041"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeRestorePrivilege	4656	7zG.exe
Token: 35	4656	7zG.exe
Token: SeSecurityPrivilege	4656	7zG.exe
Token: SeSecurityPrivilege	4656	7zG.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4656	7zG.exe
4824	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2216	4824	chrome.exe	84
PID 4824 wrote to memory of 2216	4824	chrome.exe	84
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 3116	4824	chrome.exe	85
PID 4824 wrote to memory of 4840	4824	chrome.exe	86
PID 4824 wrote to memory of 4840	4824	chrome.exe	86
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87
PID 4824 wrote to memory of 4280	4824	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/DrhbppLJwX0FQQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4e64cc40,0x7ffe4e64cc4c,0x7ffe4e64cc58
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,15174163649463028179,3882231187899078370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6193:84:7zEvent16368
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4656

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:4748

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b13ed0c19b6ef15d0ea09be73b51eb6a

SHA1
e2b1f99a7b7e5d314a71c51924f1a8867347f09d

SHA256
cd36ef8063e86da27baad060adf140fc52978b58b5d164216709e37179411c4b

SHA512
5c7799da3a4a8e9e4ca49e56bb684092504d74d939e51bca5d9335dffb8a154bcda9ff3f044ffd660a662a877a2a01d630b19a164c9c07ab95fa20e57c9e470b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
50863f4a5a9c96fcb8b5cf31faf20093

SHA1
d71bc4645ed2f3ebbf4c2e1a79a99daf5cbd98c2

SHA256
fc0bbf7aa802a5914cb1dddbf1de5a40fdc773b0f2bbcdaf60d9c2244d4093bc

SHA512
23dcc7c81eb3a215d2390ee075a74e934db3a91329be08d4e8f607a825d3d0edf5bb8d9c6b77afdc68e5360047eb417196236c6dac2f325b7c27b92566f23f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
6271d7502a2bf1aa591115966794dd7c

SHA1
73f62cf1a4779536ca16109c294a89888451c230

SHA256
856504ae9c0cf43201dca5f2a6c77be6c753a0af83c3a661d987414a62eb2a44

SHA512
905b5284e6b2c21cda76c1455565a9fa9fb45aaee96993a7ef04e8a1c53e326c5f8a799334676be0c92de2f9fff75eb828999c6c518ca7696ed26b45e27ef57c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
44d0ca1833d5f1933fce8d6ed390926a

SHA1
304e75bbbf0f1b7468740f72da74a66ceba0431a

SHA256
f1b84cfaec016e131dd85bd9c89af82029649f861c653c6826bed2b18edb221a

SHA512
6c3b3ba35444515a1fd1c1195a9a4917885782cdb9eb39a961b743a3c896b093a0c1d4968985e1d9c266b851518c649622c99e823ec3491f02c33eaa566e2f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
db52fe8da47a4112b83e1ae1276af07b

SHA1
282aacb49f3a311d61742cfbf9179a0aedd9c35d

SHA256
1351ee36d26beb14af62dab7bb6a55ea44a45779615d736e7a5dc35dc886d0d0

SHA512
79ec304770f22737aa1a8f695f46329152654f6dc6a01e7f5cda8d11930523f5ac57b3a57880aeb2726bbd777b8f372dbd1350e8f027a0bef4be70cdd73eda6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6262fba4aadb84fff8e776123e738adb

SHA1
012567a62bd54890151a86c3f93606de5af1d6b5

SHA256
1e902c054f733ca64e93862c37019fecba7ef038fdbbb99d2e53eb453a29aaa3

SHA512
1e74cad473ad79b183d5fbcef40e540b375390bb5c8f6e232ad0c4623608c19ad6e98b980b57c07d103984d370c626a92da4ebda2efabb99b283a35b320b6f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
832482b50c49909a27ca3e53faae46de

SHA1
8539fabafc121b41735a0ee0834057a94f2521cb

SHA256
5a7e5454adf3c35dae565b77424d8e90e9594e01375c268939081ff6baef20bd

SHA512
27fd067aa48262cf2de06f1cacd160999ad840857cb98b1655266bb55cea7eb65188a40ba06c8f9e409057d1fb9edb63c0d9544ce992310484b97bf3d281f89e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcff619abb9cb8b3802f31ea5ee64f49

SHA1
96c4e83d502f3110c77ab23ea1ff25af71258378

SHA256
c1302d28b58782b8a1a2e55a1123806ab4058dce25b082481f42f0dde76f0a07

SHA512
e74c5cc524ae3aef21478e96cbe3fc0768c60b97e394d1709f59d631bb9bb229c27c5f3b13aedd5b96637ba524ea439a933fd012c28013ef589b671842c9a2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b344ec0085b2f6f251a630752fa7b67c

SHA1
9f6db45bbb6c32a729711bc18f044fda27b8b6f2

SHA256
40135bff42f0ed8f1cf6b5629990f7778add985b8688b6ac9e34c6dfdd415a31

SHA512
d1e2ea6c007072c89b9bf8660ec58c6be09176313f6d5f8edec7c075c443ad5eef750f04e59d30dfc83e7b2efbfcfb787156f2f7befe9abf2d20332055b292a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b77df44af09030cf3323d0a56ccf524

SHA1
b24888ee393d74abd019f3c331b6b643445fe040

SHA256
d370b401f2b55269ce144248f8da00d0fe695eea62c6d64d3bf71f5db4164256

SHA512
1eab6efb7812ff259f0c458994137ce56722f13bd53da1fdd031190c7ea8963a85bd9255a5f78c296549d7500904509599afbe79e90bddc96c99ba72232544c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
57a305ff5249aaf922d5ea3bfe67f17f

SHA1
be109e08217a3811f0e4beb201f83fb788cb8a3c

SHA256
caa8003b13705c4b36d52193cb56dc42fdf4efeb820f9cac6dfb128247be078d

SHA512
ebad7caa4fe1931d78f512dc3e14963357603099d3e5356726e5a79b918f312d94c7962124ef33a03a75891bfe341fef64332d38f7d69d34bc36297479a6608d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
87305c0e15c64f358ca71702fd9d3456

SHA1
430fa9294a7c348a1d2b30482ea74f05e3f712ad

SHA256
df77605c5aef3c095efe11669ffac23759580b0ca90161fbfd6f2362c0b71578

SHA512
df9acce126a806fef332c840ebdf74753a33f1a641a6ab364ae11c836da9ee69a635a6e15a0ec2b963e7f15238e9072ee88285b5435611ab192dabb6325ca313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
eed929e151a3c921594346d3e43c5563

SHA1
2221b7cda748d4a357dca132c8d99911e830a05c

SHA256
49b3ddcbbd27f80e92d0b7a23f822a0e41e57fae0eca058474d3243631019f98

SHA512
ecf950c26c3c9691d8f6036998e4b0521cb2149b6e0439623b3afc6d021850cec402dca57b96b8cd4e209cf3757052021a67b28a82d77f4d216f391c36b028dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
4.0MB

MD5
2541a0bfd934ced4d8b9d9bc30525579

SHA1
39aa6dafd4282c9e7eab9a16578cdef3a6aae95f

SHA256
dbd9b20901df782ca8505e81bff3a14b2a3aae7b5c93862caf7363175b1fbc67

SHA512
b2525b5a165287594a90343349b02a99a19d49a3f488c679f83681735cd81809d2fee718d1e5260e0eee52966259f6dbee4d053be269f599f82ad4e38ebe06c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
165KB

MD5
9b19babded003384cb88007da0541633

SHA1
fc0e647bd988e1191ecb092066a740f27380b6d9

SHA256
5022741ee9dd31e488a941126f8edc202128a7b31828b68e57268ba05beee44c

SHA512
9961c238af735b88755fd55bdeb60b5fe779234cee7fdd71c53ff197d41e3a436c31df50a0203f613e9928f6a106f3ea948893d29a80391348373b42ff8bca1a

Download Submit
C:\Users\Admin\Downloads\Loader.exe

Filesize
4.3MB

MD5
94638ad4139658ef96ec4ca60ebb60f3

SHA1
dcdfb7b54ac394c2212d18994c9a0b20169a5254

SHA256
ffa436b24ed4738ac950e3d4ddc7298391a769ae4844b3da7690e295898fabf2

SHA512
08cfb21ed9a72954cae494564c1b006f140c2af44d6c21e8fa414eeaaec7a9fdc70d1360f56a7f2c26ea5356ba7c04c2745d7e9bbded41c621ad21ea57fcb635

Download Submit
C:\Users\Admin\Downloads\Luno-Client.rar.crdownload

Filesize
1.2MB

MD5
903e521dcc690e20e8009975e16f2fe2

SHA1
71b282b74506433158c7b7265ad14686138f9665

SHA256
a10b26025e82910aa9dcdc620e8133f2743de37b4052b33797b13b8e3a453d90

SHA512
06d4db053c32477c4a96c8464156961ba1332ead682afa7a2ef6a59e28a20166882806922d728e09e874d12a39ce15273836cac517b422ca3c244392f4de5c57

Download Submit
memory/1092-220-0x0000000000400000-0x000000000084B000-memory.dmp

Filesize
4.3MB

Download
memory/1688-182-0x0000000000400000-0x000000000080F000-memory.dmp

Filesize
4.1MB

Download
memory/4296-180-0x0000000000400000-0x000000000084B000-memory.dmp

Filesize
4.3MB

Download
memory/4748-221-0x0000000000400000-0x000000000080F000-memory.dmp

Filesize
4.1MB

Download
memory/5084-177-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download