stormkitty | 4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e

Resubmissions

18-12-2024 07:37

241218-jf8vga1lel 10

18-12-2024 07:34

241218-jd6bka1kgm 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-12-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

49KB
MD5

89bc15122f16df2eb618add250990ad0
SHA1

47e459aa4ed8a83a84a4912db8a1dc61fb8a6375
SHA256

4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e
SHA512

4d465eeffb4cc1f886614e35b2075a97d604fd131acba2119ff0c7c5c43e9ba90006f67334195f7c415c888b3ef8441e13e3b4890968c8d547258e2e51d5cbfb
SSDEEP

768:+WFNI2RdYFIOoUHEdc8e6akgkb1gndeaet/OtsXhMHN50w:+87nYercEdclHkb1gncFO8eH70w

Score

10^/10

stormkitty xworm discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/hMSQvtUM

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4760-179-0x0000000001F00000-0x0000000001F0E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4760-1-0x0000000000C60000-0x0000000000C72000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4760-5-0x000000001E950000-0x000000001EA6E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3428	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3520	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133789809866560123"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
4760	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	XClient.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1988	4760	XClient.exe	83
PID 4760 wrote to memory of 1988	4760	XClient.exe	83
PID 116 wrote to memory of 1652	116	chrome.exe	88
PID 116 wrote to memory of 1652	116	chrome.exe	88
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 2660	116	chrome.exe	89
PID 116 wrote to memory of 4120	116	chrome.exe	90
PID 116 wrote to memory of 4120	116	chrome.exe	90
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91
PID 116 wrote to memory of 1596	116	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:3520
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:1932
- - C:\Windows\system32\SecurityHealthSystray.exe
    SecurityHealthSystray
    3⤵
    PID:4420
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  PID:2828
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:1384
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start lsass
  2⤵
  PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb20afcc40,0x7ffb20afcc4c,0x7ffb20afcc58
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1820 /prefetch:3
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4784,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4788 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4688,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3248,i,16227733052935994269,13695715591370909602,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
a90b8ac355915677bc837d59c2e71862

SHA1
019f311a3c421ed06766343c33dc8bb7160a14d2

SHA256
1c58ae9397f328d25b479dd69963f0734d528354bbdba1cc5c76288b25fc38ac

SHA512
535e01ae8d58d43ee53ed7246aed294d3d3bf5c5ea2c7b79b849f3ce0a6cc01e3ee209ba547e214466d58279e4c30faa835902e040dad5c8a07b32feaec2a0ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
ea5b3e2e32f1a648b4f69743373c980c

SHA1
09610c393abc30c298f4732d6843f539f1db833e

SHA256
be5c32c4154108ce52dbc4f6c5c7651c695df4a08370598d9c4d2c91dcdb1a0a

SHA512
ec7915c6fad1034d77899ccaaf13132640146b26e776da60a247c8c290414c8bd3098ef9f91a5b31b3086520e40ec26162c904c4bffb17b0d2660cd78cb78c27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
48d5540d0b5aac92336b581cc6d73b4e

SHA1
863cbb9fb1fe317bfdd13a9e0e0b66007e9c92bb

SHA256
dca19810d529c94a93abd40584e8f0e156c6080733778a6b314e5ade6fa1e889

SHA512
b6e66b6eaec3df359834650c681672f0ee6b46f29713f8c22a8effec356ac04f4df34465ee338340d30ab5cfa3a3fc360c2c7545c7ab2e7806d97e71e1043516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5c37c2285adf86ccf2b48884c6e39a54

SHA1
6c44b5dc04a10318d85460c7c0b01b1ba9039fd2

SHA256
680dd005906c4a552375f447003f55bf7c0da2b154bb8485b42fe349457c793b

SHA512
72214dabe388a654b5b28926f2afdc75ed5168b7523822358e836fdf84202eb298e809ceecb601b14daa51c380cf0fdccaafc1434b5c688d742abf79e882ebcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bf134e3c757bcb85e992e7c14208f8d2

SHA1
f6f0f320d82bb818a2f3ef63fd06793429c87f8e

SHA256
a33c61827bae254c6130c4443bf3c5e264f71d6f34a9adfefa1204411a9ae7be

SHA512
101381af9f72d73244d1f7f586b1d1472374fa5f5f2b90137787966ff2df78858e2e6f70b46e213cf4f356f957f342817c04df696ce6f88cc888e4be6367d06d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
093ce3e0c67b601b20d5c417275d2cc9

SHA1
727fcada7f7505041d70cd167b35dd21aa29d4c9

SHA256
968fe9d39e00e36245ea3115a7fab10b174d9a4c63fe2583652116a7c587f21d

SHA512
28ed116703db929cc70975c922f70bf75ae0d8b4cb533c143820a97329da1d64d7e53bab7e5c0913b1675b66b4c5d66a13415b6ec018625be1d55abeebec12e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_giz0kxnr.gi1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4760-8-0x0000000001EF0000-0x0000000001EFA000-memory.dmp

Filesize
40KB

Download
memory/4760-3-0x00007FFB23A53000-0x00007FFB23A55000-memory.dmp

Filesize
8KB

Download
memory/4760-4-0x00007FFB23A50000-0x00007FFB24512000-memory.dmp

Filesize
10.8MB

Download
memory/4760-7-0x00000000018E0000-0x00000000018EA000-memory.dmp

Filesize
40KB

Download
memory/4760-2-0x00007FFB23A50000-0x00007FFB24512000-memory.dmp

Filesize
10.8MB

Download
memory/4760-6-0x0000000001F20000-0x0000000001F42000-memory.dmp

Filesize
136KB

Download
memory/4760-0-0x00007FFB23A53000-0x00007FFB23A55000-memory.dmp

Filesize
8KB

Download
memory/4760-1-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/4760-179-0x0000000001F00000-0x0000000001F0E000-memory.dmp

Filesize
56KB

Download
memory/4760-5-0x000000001E950000-0x000000001EA6E000-memory.dmp

Filesize
1.1MB

Download
memory/4760-189-0x00007FFB23A50000-0x00007FFB24512000-memory.dmp

Filesize
10.8MB

Download